Dec 18, 2009

Adobe new vulnerbility APSA09-07, CVE-2009-4324

Adobe had recently confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

This vulnerability affects Adobe Reader/Acrobat 9.2 or older. the vulnerability was found in the JavaScript function specific when reading PDF file. Exploits were found in the form of maliciously crafted PDF files.

Exploits Behaviours:
==============
It drops and execute a malicious downloader. This downloader will download more malwares from domain such as foruminspace.com.

Other symptoms such as unexpected network connections from the Adobe Reader and in some cases, Adobe reader may crashes or terminates abnormally.

From my observation, major AV vendors such as Symantec, Sophos, McAfee, TrendMicro had specific signatures for this exploit. Not sure if other AV such as Panda or Kaspersky, which do not have a specific signature, can detect this exploit under their generic signatures. I have requested for a copy of the malware from a McAfee researcher. Hopefully can get it to do a further analysis.

So far the findings from McAfee, the malware uses JavaScript obfuscation to hide the actual exploit code in the malicious PDF.

Example of a sample code that shows the malware using XOR encoder to hide the exploit code.

s1='\x2a\x3d\x3e\x \x31\x \x31\x33\x \x25\x67\x56\x \x35\x3a\x7\x .....';

s2='';
for (i=0; i< s1.length; i++)
{
s2=s2+String.fromCharCode(s1.charCodeAt(i) ^ k);

};

eval(s2);

The patch for this vulnerbility was announced to be release next year, but user can mitigate this problem by disabling JavaScript in Adobe Reader and Acrobat. Please refer to "Disable javascript in Adobe Acrobat" or Adobe security bulletin for the steps.