Client-side exploitation continues to be a popular attack vector. Another zero-day attack has targeted Adobe Acrobat Reader to infiltrate customer networks. The currently unpatched exploit opens the door to code execution when a victim simply reads a malicious PDF document.
After loading it into a disassembler, we can see that the unescaped executable code is stage one of a two-stage attack. The intent of stage one is to identify the open file handle of the malicious PDF to find a particular signature (which is called an egg by exploit writers). This signature (0x0A666F65 in this example) is immediately followed by stage two of the shellcode and is then branched into.
The screenshot below shows the presence of the PDF’s embedded egg, followed by x86 machine code, part of stage 2. The code contains another obfuscation layer, namely a routine that XOR decodes the remaining code and–surprise, surprise–unveils an embedded executable!
The hidden executable, which is visible only in a hex editor after having applied the same XOR decoding, is written to disk and executed by the shellcode–thus highlighting the steps the attacker has taken to evade detection.
McAfee Gateway Anti-Malware detected and blocked this threat proactively (“BehavesLike.PDF.Suspicious” and the embedded executable as “BehavesLike.Win32.Rootkit.H”). McAfee Artemis and the 5766 DATs block it, as well.
<<<<<<<<<< Update Late October, 13, 2009 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Adobe has released a patch that remediates the above issue. Full details available here.