PDF Malware Authors Persistently Exploit Security Flaw

Malware purveyors are continuously exploiting a security flaw of code execution from the remote, which existed within Adobe's Reader and Acrobat programs and for which the software firm released patches, as these malware owners craft malevolent PDF files for making sure their scams are a success, published softpedia.com on February 23, 2012.

According to the security investigators from Symantec, attacks based on the exploitation of the vulnerability are still up through Acrobat and Reader with the background operating system being any popular one. Specifically, during the attacks, certain extremely obfuscated JavaScripts are typically utilized; consequently, if a shell-code that ensues thereof, gets planted onto the victimized user's PC, it'll try to pull down a malevolent .exe file from a distant PC-server.

Originally, the attackers would implant the JavaScript onto an XFA component within Adobe's Acrobat environment. Thereafter they'd tamper with one subsidiary form field using the JavaScript, which would utilize a mention about say the "qwe123b" implanted component. And incase this kind of abused PDF sample gets installed onto flawed PDF reading software then there'd arise activity initialized with XFA, while the implanted JavaScript would get summoned.

Moreover, the JavaScript creates the appropriately abused TIFF file as well as the shell-code that's scattered all over the memory, while making sure that the security flaw gets activated via the integration of image file into crude valuation of the already set 'form' component.

Indeed, when the JavaScript is executed, among the things it does is verifying the flawed software's edition which runs on the host PC. Subsequently, there occurs a conversion of the number of that edition into an enormously large integer whilst by using the JavaScript a shell-code and exploit are built particularly for that edition. After that, the JavaScript scatters the shell-code over the software's memory and takes to action.

Additionally, while the shell-code contains a stupefied URL for downloading an .exe file, the conversion of the PDF Reader's edition puzzles anti-virus scanners and malware analysts.

Interestingly, the converted PDF Reader edition number into an enormously-large integer is weighed against certain threshold that stands for an edition of the software from amongst its many.

Related article: PDF flaw gets fixed with Adobe patch

» SPAMfighter News - 2/29/2012