New Adobe Acrobat 0-day Vuln

October 28, 2010

SonicWALL UTM Research team received reports of a new Adobe 0-day Vulnerability reported here being exploited in the wild. This new vulnerability is being targeted by a specially crafted PDF file. Upon successful exploit attempt, it will drop & execute a malicious executable file on the victim machine.

Installation:

Once the user opens the malicious PDF file, it will drop the following payloads on %TEMP% folder:

  • ~temp.bat
    - Waits for 3 seconds
    - Do process cleanup on crashed Adobe Acrobat application by terminating the running instance
    - Opens the clean PDF file that it drops to make it appear normal to the end user

    • The content of the file ~temp.bat looks like:

    screenshot

  • nsunday.exe - [GAV: Wisp.A_2 (trojan)]
    - payload malicious executable file

After successfully exploit attempt on the Adobe Acrobat application, the control will be transferred over to nsunday.exe to continue its infection.

Malware Routine:

  • Drops the malicious file nsunday.dll in %TEMP% folder and injects it to the following running processes:
    • iexplore.exe
    • outlook.exe
    • firefox.exe
  • Creates the following registry entry to ensure that the malware runs on every system reboot:
    • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
      Value: nsunday
      Data: "{user}Local SettingsTempnsunday.exe -installkys"
    Contacts following domain:

    • news.mysundayparty.com
  • Request commands from remote url:
    • news.m{REMOVE}/kys_allow_get.asp?name=getkys.kys

    Sample screenshot of the commands received:

    screenshot

      These commands include:

    • Downloading of other malicious files.
    • Uploading of files to remote server
    • Retrieving system information

    Sample screenshot of the information retrieved from the system:

    screenshot

  • Uploads retrieved system information to remote url:
    • news.m{REMOVE}/kys_allow_put.asp?type=

    Other dropped files:

    • %TEMP%gdnsunday.tmp - text file containing the commands received from the remote server
    • %TEMP%gnsunday.tmp - encrypted data
    • %TEMP%pdnsunday.tmp - text file containing the gathered system information

    SonicWALL Gateway AntiVirus provided protection against this malware via the following:

    GAV: Wisp.A_2 (Trojan)
    GAV: PDF.JS_3 (Exploit)
    IPS: Adobe Shockwave rcsL Chunk Memory Corruption PoC
    IPS: Adobe Shockwave rcsL Chunk Memory Corruption PoC 2