New Adobe Acrobat 0-day Vuln (Oct 28, 2010)

SonicWALL UTM Research team received reports of a new Adobe 0-day Vulnerability reported here being exploited in the wild. This new vulnerability is being targeted by a specially crafted PDF file. Upon successful exploit attempt, it will drop & execute a malicious executable file on the victim machine.

Installation:

Once the user opens the malicious PDF file, it will drop the following payloads on %TEMP% folder:

• ~temp.bat
  – Waits for 3 seconds
  – Do process cleanup on crashed Adobe Acrobat application by terminating the running instance
  – Opens the clean PDF file that it drops to make it appear normal to the end user

The content of the file ~temp.bat looks like:



• nsunday.exe – [GAV: Wisp.A_2 (trojan)]
  – payload malicious executable file

After successfully exploit attempt on the Adobe Acrobat application, the control will be transferred over to nsunday.exe to continue its infection.

Malware Routine:

• Drops the malicious file nsunday.dll in %TEMP% folder and injects it to the following running processes:
• iexplore.exe
• outlook.exe
• firefox.exe
• Creates the following registry entry to ensure that the malware runs on every system reboot:
  
  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: nsunday
    Data: “{user}Local SettingsTempnsunday.exe -installkys”
  Contacts following domain:
  • news.mysundayparty.com
• Request commands from remote url:
  
  • news.m{REMOVE}/kys_allow_get.asp?name=getkys.kys

  Sample screenshot of the commands received:

  

  These commands include:

  • Downloading of other malicious files.
  • Uploading of files to remote server
  • Retrieving system information

  Sample screenshot of the information retrieved from the system:

  

• Uploads retrieved system information to remote url:
  
  • news.m{REMOVE}/kys_allow_put.asp?type=

  Other dropped files:

  • %TEMP%gdnsunday.tmp – text file containing the commands received from the remote server
  • %TEMP%gnsunday.tmp – encrypted data
  • %TEMP%pdnsunday.tmp – text file containing the gathered system information

  SonicWALL Gateway AntiVirus provided protection against this malware via the following:

  GAV: Wisp.A_2 (Trojan)
  GAV: PDF.JS_3 (Exploit)
  IPS: Adobe Shockwave rcsL Chunk Memory Corruption PoC
  IPS: Adobe Shockwave rcsL Chunk Memory Corruption PoC 2

  Security News

  

  The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.