We recently discovered a sample that is trying to exploit the 0-day Adobe vulnerability tracked by CVE-2010-3654. This sample is being distributed as a PDF file, and it has a lot of complicated steps before the final payload is executed. Analyzing this sample is like working your way through a matryoshka doll.
 
The analysis of this malware can be broken down into four steps:
  1. The PDF
  2. The shellcode
  3. …More shellcode, and
  4. The Portable Executable file

1. The PDF
The PDF file contains four malicious components:

  • A malformed SWF (Shockwave Flash) file to trigger the CVE-2010-3654 vulnerability
  • Shellcode
  • JavaScript which does the heap spray
  • An encrypted PE (Portable Executable) file

2.  The shellcode
The shellcode reads data from the PDF stream and decrypts it into a PE file to the disk and then executes it (as shown in Figure 1).

hexidecimal code view of the PDF stream 

Figure 1:  Decrypting the PE file

3. The shellcode, again
When the decrypted PE file is executed, it will run a shellcode contained in the resource section. Looking at the shellcode, it actually decrypts a DLL file to the disk and loads it. It runs a shellcode in the resource section. This time, the shell code is used to decrypt another PE image, and load the decrypted PE image to memory (this PE image will never be written to the disk, it is only in the memory).
 
4. The final PE
Dumping the decrypted PE image from the memory,  the ending to this attacker’s story becomes clear -- it is the installation of Win32/Hupigon (aka “Grey Pigeon” and “Graybird”), the notorious remote control backdoor - that is a prevalent threat in China.
 

Stay safe with protection for this exploit and the threats leveraging it, and don’t forget to apply the update released today by Adobe (APSB10-18 - http://www.adobe.com/support/security/bulletins/apsb10-28.html).

 
matryoshka
 
 
- Chun Feng, MMPC