Adobe PDF exploits using signed certificates, bypasses ASLR/DEP

The zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Microsoft's newest operating systems and a signed digital certificate belonging to a U.S. credit union.

The zero-day attacks against Adobe PDF Reader/Acrobat includes the use of clever techniques to bypass anti-exploit roadblocks in Microsoft's newest operating systems and a signed digital certificate belonging to a U.S. credit union.

The attacks, which use booby-trapped PDF documents to exploit an unpatched vulnerability in Adobe Reader/Acrobat, first appeared as an e-mail attachment titled "Golf Clinic.pdf" that promises golf tips from instructor David Leadbetter.

New Adobe PDF zero-day under attack ]

follow Ryan Naraine on twitter
If the target opened the document, the PDF file crashes before immediately opening a decoy file with the same name (in lower case) which gets dropped in user profile Application Data, according to Contagio Malware Dump, a site that tracks malicious spam and web activity.

A downloader file gets dropped  in user %tmp% directory downloads winhelp32.exe, which creates a connection to academyhouse.us.

According to Roel Schouwenberg, a senior virus researcher at Kaspersky Lab (important disclosure) , the exploit uses the ROP (return oriented programming) technique to bypass the ASLR and DEP mitigation technologies in Windows Vista and 7.

Dino Dai Zovi, a researcher who has publicly discussed details of return-oriented programming and the ways in which it can be used to exploit vulnerabilities, described the PDF attack as "pretty impressive" because of the complex techniques used to bypass Windows defenses.

Kaspersky's Schouwenberg also discovered that the malware attack drops a file that is digitally signed with a valid signature from Vantage Credit Union, a US-based Credit Union.

Schouwenberg writes:

This means that the cybercriminals must have got their hands on the private certificate. Remind you of anything? If you say Stuxnet (where compromised Realtek and JMicron certificates were used to sign files) then we're clearly thinking on the same lines.

It'll be interesting to see if Stuxnet has started a trend or if these cases are just a flukey coincidence. I suspect they're not - I think the use of valid, stolen certificates to sign malware will really take off in 2011.

Adobe has released an alert to confirm the vulnerability and active attacks and notes that there are no pre-partch mitigation guidance to thwart these attacks.

End users worried about falling victim to these attacks should consider using an alternative software product to view PDF files.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All