Flash in the PDF? Another vulnerability with Adobe PDF/Flash

Over the weekend, SophosLabs received a strange PDF from a source who sends us large numbers of malicious files of Chinese origin. The PDF file contained two EXE files and two SWF files.

The EXEs were stored within the PDF XOR encrypted with the bytes 0x97 and 0xa0 which immediately tweaked the interest of the analyst. After subsequent analysis of the files he wrote three identities Troj/PDFEx-BJ, Troj/Agent-KPF and Troj/SWFExp-M for the PDF file, the EXE files and one of the SWF files.

Over the last few days we have seen more files exhibiting similar characteristics. What is happening?

The initial PDF file has several embedded streams (According to Didier Stevens, PDFiD has 18 embedded streams) the interesting bits are: two SWF files and one mini-PDF file.

The mini-PDF file has some interesting features (underlined in red):

As we can see from the above the image there are Embedded files and it is using RealMediaContent.

Here we see two SWF files (fancyBall.swf and oneoff.swf) referenced and run by the PDF.

The first SWF, fancyBall.swf, is just a simple little flash with a ball that will crash and the will allow the second code in the second SWF file to run.

The other SWF, oneoff.swf, is more insidious (and I have updated detection for Troj/SWFExp-M to detect more variants) which by using manipulating shellcode will attempt to extract the EXE files and run them. Different instances of this malware have had different names including save.swf and oneoff.swf.

SophosLabs yesterday released detection for Mal/PDFEx-G to generically detect the malicious PDFs.

Currently, US-CERT recommends some the following workarounds:

  • Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: “%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and “%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll”.

As always SophosLabs endeavors to provide customers with proactive detection via identities and product features (HIPs and BOPs).