The past week has been everything but flowers and rainbows for two of the most popular applications out there. While the Firefox exploitation technique has been documented in our previous post, time has come to have a looksee on the bug affecting the latest version of the Adobe Flash application.
The attack scenario is extremely well crafted in order not to draw even the slightest sign of suspicion on the user’s side, and the attackers have gone through great lengths to pull this off.
The first step of the attack makes use of a specially-crafted PDF file bundled as an attachment to a spam message impersonating a press release. In order to make things more appealing and to convince the user that there is no danger in firing up the file, the message mentions an application for the iPhone and iPad devices that will allegedly “make USAJOBS more accessible to the American public”. The mail also claims that more details about the whole thing are available inside the attached PDF file.
Once it gets up and running, the malicious file will perform a series of changes to the system. It also checks which of the three processes (firefox.exe, iexplorer.exe or outlook.exe) it is running in, then it takes the necessary provisions to gain access to the Internet. It also opens a backdoor (identified by BitDefender as Backdoor.Generic.496992), which will allow a remote attacker to seize control over the infected machine.
Silent infection technique:
Since the original & malformed PDF file called NewsRelease.pdf crashes and this might tip the user that something has gone terribly wrong security-wise, the malicious PDF has a secondary PDF document built-in Matrioshka-style. The BAT script sends a PING request and waits for it to timeout, then kills Acrobat.exe and AcroRd32.exe and tries to open the secondary PDF file .
Here’s a short movie of what happens from the time the user opens the infected attachment until the regular PDF file is opened:
If you are running a BitDefender security solution, you need don’t have to worry, since it would have intercepted the malformed file as Exploit.PDF-JS.Gen. If you are unsure about the security of your system, then you should download a 40-day evaluation version of BitDefender Total Security 2011 or run a completely free 60-second QuickScan.
Analysis of the exploit courtesy of BitDefender researchers Octavian Minea and Daniel Chipiristeanu.