Adobe Flash Slammed With Critical Bug

The attack scenario is based on spam mail mentioning an app for iPad and iPhone.

The past week has been everything but flowers and rainbows for two of the most popular applications out there. While the Firefox exploitation technique has been documented in our previous post, time has come to have a looksee on the bug affecting the latest version of the Adobe Flash application.

The attack scenario is extremely well crafted in order not to draw even the slightest sign of suspicion on the user’s side, and the attackers have gone through great lengths to pull this off.

The Scenario:

The first step of the attack makes use of a specially-crafted PDF file bundled as an attachment to a spam message impersonating a press release. In order to make things more appealing and to convince the user that there is no danger in firing up the file, the message mentions an application for the iPhone and iPad devices that will allegedly “make USAJOBS more accessible to the American public”. The mail also claims that more details about the whole thing are available inside the attached PDF file.

Adobe Exploit

As soon as the PDF file is opened, it triggers an exception inside the authplay.dll file shipped with Adobe Reader, an approach that we’ve seen in the past and also documented it in this article. More to the point, the attachment contains a malformed SWF object which get parsed by authplay.dll and will trigger the execution of a JavaScript that heap-sprays a piece of shellcode. The result is that an infected binary file will be decrypted and dropped in the temporary folder under the name nsunday.exe, and then executed. Along with the malicious file, the PDF also drops a regular PDF document and a batch script that will kick in later to clean things up.

Once it gets up and running, the malicious file will perform a series of changes to the system. It also checks which of the three processes (firefox.exe, iexplorer.exe or outlook.exe) it is running in, then it takes the necessary provisions to gain access to the Internet. It also opens a backdoor (identified by BitDefender as Backdoor.Generic.496992), which will allow a remote attacker to seize control over the infected machine.

Silent infection technique:

Since the original & malformed PDF file called NewsRelease.pdf crashes and this might tip the user that something has gone terribly wrong security-wise, the malicious PDF has a secondary PDF document built-in Matrioshka-style.  The BAT script sends a PING request and waits for it to timeout, then kills Acrobat.exe and AcroRd32.exe and tries to open the secondary PDF file .

Here’s a short movie of what happens from the time the user opens the infected attachment until the regular PDF file is opened:

If you are running a BitDefender security solution, you need don’t have to worry, since it would have intercepted the malformed file as Exploit.PDF-JS.Gen. If you are unsure about the security of your system, then you should download a 40-day evaluation version of BitDefender Total Security 2011 or run a completely free 60-second QuickScan.

Analysis of the exploit courtesy of BitDefender researchers Octavian Minea and Daniel Chipiristeanu.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.