Adobe has released a new version of Adobe Reader on October 5th. It includes the patched module for the Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability (BID: 43057). As Karthik Selvaraj wrote in a previous blog, this vulnerability is already being exploited by malware, which is being detected as Bloodhound.Exploit.357. The total number of detected files is over ten thousand in the past a week.
Symantec also discovered a new PDF malware exploiting this vulnerability. This malwares doesn’t contain a JavaScript buffer but it does contain Flash files and a PDF file.
The Flash files are used as a heap spray to execute viral code. In addition, the heap spray is a JIT spray. This Flash file contains AVM code as looking like a clean file at a glance. The decompiled AVM code is as follows:
0x3c909090 ^ 0x3c909090 ^0x3c909090 ^ …. ^ 0x3c90e7ff ^ 0x3ccccccc
It just calculates double word values with XOR but the code that is transformed by JIT leads to the next malicious shell code.
A more advanced technique is to use a PDF file embedded in a PDF file. The third object contains a stream indicating “application/pdf” as a sub-byte. With “FlateDecode”, this PDF file is compressed by using Zlib/deflates. To identify the PDF exploiting this vulnerability, it should be inflated and parsed by the PDF parser again.
The PDF embedded in a PDF file is always the same one and it is just used to trigger the vulnerability. We detect PDF malware using this technique as Bloodhound.Exploit.357 as well.
Disabling JavaScript on Adobe Reader doesn’t help in avoiding infection from this PDF malware because there is no JavaScript in this PDF malware. The only way of protecting your PC is to keep your antivirus, IPS, and IDS signatures as well as the latest PDF reader application up-to-date.
I will be speaking at the AVAR 2010 conference in Bali that will be held from November 17 - 19, 2010, and will discuss widely-used and more technically-basic malware than I have discribed in this blog.