As we already mentioned multiple times in the past, exploits that takes advantage of a newly discovered holes in popular applications represent a growing threat to Internet users. Many, if not most, computer systems are vulnerable to these attacks. More evidence are showing 0-day attacks remain the preferred choice of cyber criminals.

Today, a new unpatched Adobe vulnerability has been discovered in the wild that takes advantage of a newly added feature to add interactive Flash (SWF) content into PDF files. This bug was found to affect at least Adobe Reader and Acrobat 9.1.2 , as well as Adobe Flash Player 9 or newer.

In our investigation of the issue, we found that Acrobat 9 introduced a new “Rich Media” annotation type, which uses Acrobat’s built-in Flash Player to play SWF content. In the current attack, specially crafted FWS files were embedded into PDF documents, that can cause Adobe Reader to execute arbitrary code upon viewing. When successful, shellcode in the exploit is executed by Adobe Reader. The picture below depicts how the shellcode works and what it does:

It first gets KERNEL32.dl image base using the Windows PEB structure, sets up the required Windows APIs, the decrypts and executes its malware payload. This specific malicious PDF file contains 3 embedded executables encoded using a simple 1-byte XOR key. When run, it drops a file called SUCHOST.EXE, sends the information gathered from the infected machine to a free host redirection services based in China:

• [blocked].3322.org
• [blocked].2288.org.

The victim is then redirected to other malicious IP address(es). This malware acts as a backdoor to allow remote access to the infected computer.

According to Adobe, the “Rich Media” annotation is new to Acrobat 9.x and will not be understood by PDF document viewers that can only support up to Acrobat 8 specifications. Thus, if you place the SWF file with Acrobat 9 into the PDF files, it is not readable by Acrobat or Adobe Reader 8 and older versions, and will not vulnerable to this attack.

While details of this vulnerability are not yet made public, more attackers are likely to take advantage of this critical as in past incidents. For McAfee customers, both the PDF and its associated payload can be proactively detected as “Exploit-PDF.t” since the 5683 DATs (July 21st, 2009).

Even though anti-malware vendors continue to add detection for new 0-day threats, there are several things which you can do to mitigate such risks. Users are advised to refrain from opening attachments from untrusted sources and visiting untrustworthy web sites.

This bug is currently being investigated by the Adobe Product Security Incident Response Team.

(Thanks to Abhishek Karnik and Aditya Kapoor for helping to analyze the malware.)