New Zero-Day Attack against Adobe

A bug in the authplay.dll file shipped with Adobe Reader and Acrobat 9.x leads to remote code execution

The BitDefender Antimalware labs have just performed an emergency update to add detection for a zero-day exploit atack affecting the Adobe Reader, Acrobat and Flash Player applications. Just like the previous Adobe exploits we have written in the past, the attack vector is represented by a malformed PDF file that contains both a specially crafted javascript  and an embedded .SWF file. Labeled as CVE-2010-1297, the exploit is currently exploited in the wild.

Once opened, the javascript triggers the decryption of a shell-code that will be subsequently heap-sprayed. If the PDF file is opened within a browser (which is the most common scenario with links displayed on compromised web pages, forums, sent via e-mail or instant messaging), the embedded SWF file forces the heap-sprayed shell-code to be executed. Upon its successful execution, the shell-code would decrypt and drop a binary file under the name c:-.exe.

Here’s a short movie to demonstrate the attack

The dropped malicious file will subsequently trigger the download of an infected file from remote locations (the samples analyzed by BitDefender would attempt to connect to http://210.[removed].214/img/ and download a file called xslu.exe). A secondary DLL is also dropped in the %windows%system32 folder (overwriting a system file) and injected into an instance of SVCHOST.EXE. Once it is set in place, the dll file acts as a backdoor and starts sending critical information about the infected system to a remote server.

The info include the local IP address, the DHCP server (if enabled), the  SubNetMask, the Default Gateway, as well as the CPU type and its frequency. Some OS details are also collected, such as the User Information and administrators group, the Last Update Patches, Network Resources, Installed Applications, Installed Services and Browser Information

Please note that Adobe labeled the vulnerability as critical and it affects the following applications:

  • Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
  • Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems (because of the authplay.dll sub-component shipped with both applications).

As of the moment of writing, there is no vendor patch to mitigate the attack. In order to stay safe, we advise users to install and update a complete antimalware solution and manifest extra caution when opening PFD files that may come either as attachments, or as web-links in mail and IM messages.

BitDefender currently identifies the threats with multiple detections, as follows: Exploit.SWF.J (for the pdf file with a malicious swf component), Exploit.JS.PDFJSC.1 (for the javascript), Trojan.Downloader.JNDN  (for the downloaded binary file) and Backdoor.Agent.AAQJ  (for the dropped backdoor component).

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.