We keep seeing new waves of PDF file-based attacks that exploit the Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability (BID 38195) that exists in certain unpatched versions of a popular PDF reading application. All these attacks were stopped by Symantec’s Skeptic™ technology.
A typical example of such an exploited PDF sample contains highly obfuscated JavaScript, as shown in figure 1.
Figure 1: Portion of obfuscated JavaScript
The JavaScript was embedded in an XFA object (object 8 in the above figure) in an Acrobat Form. The JavaScript manipulated a subform field by using a reference to an embedded element, “qwe123b” in the example. When such an exploited PDF sample is loaded into the vulnerable PDF reading application, the XFA initialize activity is triggered and the embedded JavaScript will be called. After manually de-obfuscating it, we were able to extract the hidden JavaScript (figure 2).
Figure 2: Portion of extracted hidden obfuscated JavaScript
Further analysis shows that the JavaScript actually exploits a known vulnerability - Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability (BID 38195) - where an invalid value in a tagged image file format (TIFF) image generated by the JavaScript corruptsthe TIFF parser (LibTIFF) in certain unpatched versions of a popular PDF reading application.
Similar to the findings presented in one of our previous blogs the JavaScript does a few things as well:
- Determines the current version of the PDF reading application and constructs the correct exploited TIFF file and shellcode.
- Sprays the shellcode into memory.
- Assigns the exploited TIFF image to the "rawValue" of the pre-defined form element to trigger the vulnerability when the image gets displayed.
It is interesting to note that the version of the PDF reading application being exploited will be converted to a huge integer and compared to a certain threshold which represents one of the application versions. This is probably designed by the malware writer to confuse malware analysts and/or antivirus (AV) scanners. In this instance, we also notice that the generated TIFF images and shellcode remain the same regardless of the PDF reading application version.
A portion of the extracted hexadecimal encoded shellcode is shown in figure 3.
Figure 3:Portion of the extracted hexadecimal encoded shellcode
When examining it further, it shows that there is a URL at the end of the file (figure 4).
Figure 4: Malicious executable file link in shellcode
It clearly shows that a malicious executable file will be downloaded once the shellcode gets executed successfully. Unfortunately, the malicious file link only existed for a very short time and we have been unable to retrieve the actual executable sample as yet.
Symantec.Cloud has protected our customers from all such attacks. Our analysis reveals that Skeptic™ has successfully blocked over ten thousand PDF files with such exploits in the past two weeks (figure 5). It clearly shows that the attacks were carried out in several main waves spread over the period detailed in the figure. The most aggressive attack was launched on the 16th of February, which saw over 3,000 hits in one run, followed by the attack stopped on the 6th of the same month.
Figure 5: PDF attacks through emails stopped by Symantec.Cloud over a period of two weeks