chackraview.net

 In this post, I have used one of the encrypted samples found for CVE-2011-2462 vulnerability. After coming back from my vacation, I decided to take a quick look at the new samples shared on contagio blog to understand the exploitation methods of CVE-2011-2462. As many nice articles/blog posts have already written on this vulnerability, I will keep this post short.

Unaware of the latest developments over first exploit for this vulnerability, I decided to open the sample in VI editor to take a swift glance at its structure and that’s when I realized, this is not a vanilla PDF exploit sample.

After going through some of the strings in the document, my eyes were glued at following string.

Presence of “/AuthEvent/DocOpen” indicates use of PDF security mechanisms implemented in the sample. After researching on the encryptions supported in Adobe Acrobat 9.0, I learned that a new AES variant (AESV3) uses AES-256 (32 bit) encryption.

In order to proceed in the analysis, we need to decrypt the sample using pdfdecrypt. This tool supports RC4 40 to 128 bits, AES128, AES256 encryptions. Perfectly suitable for our purpose

After decryption, the size of the file dropped from 1.2MB to 20 KB. Below is the PDFID output of the decrypted sample.

After opening the file in VI, multiple objects compressed with flatedecode were seen. So I decided to un-compress them by using my favorite tool pdftk. After decompression, the file size increased to 32 KB.  Below is the comparison of PDFID output over decrypted PDF and decompressed PDF. Both files have only 2 pages in them while we can clearly see the 3 JavaScript sections are identified by the tool. Let’s check them.

 

 

 

 

 

 

 

 

 

 

 

Object 9 contains the U3D object which is responsible for triggering the vulnerability.

JavaScript was located under object 55 and has a reference in object 61.

55 0 obj
<<

Javascript Object

/JS 61 0 R
/S /JavaScript
>>
Endobj

Object 61 is of length 10928 and had big blocks of JavaScript code. Please see reference for more details on the JavaScript analysis.

If the file is executed on the system, PDF drops 2 files on under %TEMP%

• AAA.temp
• Scvhost.exe

When I opened AAA.temp, it turned out to be another PDF file of 372 KB. As expected, it is a clean file with 44 pages and no JavaScript or any other suspicious objects.

 

Scvhost.exe (SHA1: 20251fef1a169c1c92b1e329da876d431c9f9bf4) file has icon of RAR file to disguise users. After execution, malware copies itself under %program_files%\common files\release folder by name zfkeymonitor.exe

This file further drops a dll by name rundll32.dll (SHA1: 389e8c457dd30952289c6c801850610f46ce1353) under directory %program_files%\common files\release. Later it launches rundll32.dll  by running %SYSTEM%\rundll32.exe rundll32.dll

Let’s not dig into the malware analysis of dropped files as Microsoft detects the PDF sample as: Exploit: Win32/CVE-2011-2462.B, ScvHost.exe file as: MonitoringTool:Win32/ZFKeyMonitor

Further reading:

• CVE-2011-2462 analysis posts from 9bplus.com

 

Conclusion:

In order to protect yourself from such attacks, make sure you use latest operating systems up to date with all the security patches, latest version of internet browsers, install anti-virus engine and regularly update it. Do not click on any hyperlinks received from an unknown source.

Stay safe!!!