Posted on behalf of Bhaskar Krishnappa, Malware Analyst, Symantec Hosted Services
This month, the security world has witnessed two major threats that occurred around the same time. The first one was the mass mailer worm “Here You Have” (W32.Imsolk.B@mm), and this was well documented in the media, but the other was a lesser-known attack, exploiting a zero-day vulnerability in the PDF file format (CVE-2010-2883). In both events, Symantec Hosted Services protected all of its MessageLabs customers proactively, giving them an upper hand over their would-be attackers.
This blog is to caution its readers about such email threats. On September 9, as the world was learning of the “Here You Have” outbreak, almost unnoticed was a targeted attack that had actually begun over a week earlier.
On September 1, 2010 at 7:30 GMT Symantec Hosted Services proactively identified and stopped few suspicious PDF attacks containing malicious JavaScript. As can be seen in the chart below, MessageLabs blocked nine copies on September 1 when the attack initially began, and a further 11 copies at its peak on September 8; a week later when the vulnerability was first disclosed publicly.
The PDF file-type is not only just a portable document format, it has the ability to embed complex JavaScript code, which has in recent years made the PDF attachment type one of the attackers’ favorite weapons. JavaScript and PDF files can be a deadly combination when it comes to targeted attack vectors.
As you can see from the example email shown below, these attacks were wrapped with social engineering tactics and used the following subjects: ‘David Leadbetter's One Point Lesson’, ‘secret trip to China’ and ‘Interview Request.’ They were all carrying a similar malicious JavaScript embedded in the PDF file.
The malicious JavaScript extracted from the PDFs had an extraordinary attacking approach, which began with a check being made to identify the platform and the version of the PDF viewer application with which the file was being opened. Furthermore, the JavaScript contained encrypted “shellcode” (a small piece of executable code used as the payload in the exploitation of vulnerabilities), which was split into three pieces.
The first part of the shellcode was the main one and the two additional parts were combined depending on the version of software running on the victim’s machine. If the environment was not found to be favorable for the infection then the JavaScript would invite the victim to update the software by displaying an alert message, as can be seen in the example below.
Analysis of the PDF revealed that it had multiple TrueType Font (TTF) files embedded within it. We verified the font file with the ‘Gaiji SING Glyplet spec’ and found that the ‘uniqueName’ field present under the ‘Smart INdependent Glyphlets’ (SING) table was not following the standard mentioned in the document as below.
Depending upon the software version, the attacker jumps to the appropriate page number in the document that displays the font containing the exploit for that version, with the help of the malicious JavaScript to exploit this vulnerability. This vulnerability was later quoted as PDF zero-day by many security vendors and Adobe officially announced it as CVE-2010-2883 with the release date as September 8, 2010. The first malicious emails were blocked by MessageLabs Intelligence on September 1, but the CVE release date was September 8.
In summary, this threat was a combination of the attacker’s versatility in scripting combined with the exploitation of a vulnerability in an embedded TTF file, with some social engineering to wrap around it.