Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

Summary:The zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Microsoft's newest operating systems and a signed digital certificate belonging to a U.S. credit union.

The zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Microsoft's newest operating systems and a signed digital certificate belonging to a U.S. credit union.

The attacks, which use booby-trapped PDF documents to exploit an unpatched vulnerability in Adobe Reader/Acrobat, first appeared as an e-mail attachment titled "Golf Clinic.pdf" that promises golf tips from instructor David Leadbetter.

New Adobe PDF zero-day under attack ]

follow Ryan Naraine on twitter
If the target opened the document, the PDF file crashes before immediately opening a decoy file with the same name (in lower case) which gets dropped in user profile Application Data, according to Contagio Malware Dump, a site that tracks malicious spam and web activity.

A downloader file gets dropped  in user %tmp% directory downloads winhelp32.exe, which creates a connection to academyhouse.us.

According to Roel Schouwenberg, a senior virus researcher at Kaspersky Lab (important disclosure) , the exploit uses the ROP (return oriented programming) technique to bypass the ASLR and DEP mitigation technologies in Windows Vista and 7.

Dino Dai Zovi, a researcher who has publicly discussed details of return-oriented programming and the ways in which it can be used to exploit vulnerabilities, described the PDF attack as "pretty impressive" because of the complex techniques used to bypass Windows defenses.

Kaspersky's Schouwenberg also discovered that the malware attack drops a file that is digitally signed with a valid signature from Vantage Credit Union, a US-based Credit Union.

Schouwenberg writes:

This means that the cybercriminals must have got their hands on the private certificate. Remind you of anything? If you say Stuxnet (where compromised Realtek and JMicron certificates were used to sign files) then we're clearly thinking on the same lines.

It'll be interesting to see if Stuxnet has started a trend or if these cases are just a flukey coincidence. I suspect they're not - I think the use of valid, stolen certificates to sign malware will really take off in 2011.

Adobe has released an alert to confirm the vulnerability and active attacks and notes that there are no pre-partch mitigation guidance to thwart these attacks.

End users worried about falling victim to these attacks should consider using an alternative software product to view PDF files.

Topics: Malware, Microsoft, Operating Systems, Security, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.