![]() This combination of stream filters is widely used in exploits to compress the code. These stream filters will indicate to Reader how to decode the streams while opening the document. This is the malicious JavaScript that is encoded twice, first with ASCIIHexDecode and then with FlateDecode. Object 14, as seen above, has the stream link to object 15, which contains the actual compressed JavaScript. Let’s take a look at what is in the referenced object. Object 4 has an /OpenAction reference to object 14, which seems particularly interesting. ![]() Object 1 contains the author, email, and the web–a kind of meta information. Let’s take the deeper look at the object structure of the PDF and find out what is interesting. OpenAction indicates the action to be performed automatically when the document is viewed. JS and /JavaScript indicates that this PDF document contains the JavaScript. ![]() The combination of both of these techniques would make this document suspicious to any researcher. Like many other exploits in the wild, this document uses the techniques of /JavaScript and /OpenAction to launch its malicious JavaScript. Looking at the output, we can immediately make out what this exploit would contain. Here’s what we found as output when we ran the PDFiD tool against this exploit. The technique used in this exploit has been known to researchers for ages. ![]() Using the MD5 algorithm we found a hash value of b025b06549caae5a7c1d23ac1d014892. McAfee researchers analyzed the exploit (the sample circulating in the wild) and figured out how the vulnerability is exploited and identified the malicious binary, which allows an attacker to take the control of the system. Adobe says it will release a patch this week. This flaw is currently being exploited in the wild. This zero-day vulnerability (CVE-2011-2462) could allow an attacker to execute arbitrary code and silently take the control of a victim’s machine. Recently a critical vulnerability has been identified in Adobe Reader X and Adobe Acrobat X Versions 10.1.1 and earlier for Windows and Mac OS, Reader 9.4.6 and Reader 9.x Versions for Unix.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |