Security experts are faced with an interesting scenario every time a zero-day vulnerability is disclosed. There are always two possibilities—developers will effectively fix the flaw before any major issue arises or cybercriminals will get an opportunity to spread malware via vulnerability exploits and developers are left with the task of cleaning up the mess they leave behind.
The recent zero-day exploit is a good example of the latter scenario. When Adobe released a security advisory about a Flash Player vulnerability, a zero-day exploit had already been found. Tagged as critical, the vulnerability (CVE-2010-1297) causes the application to crash and can allow remote users to execute malicious codes on an affected system.
Exploits in a Flash
As evidenced by this and many other zero-day exploit attacks, cybercriminals waste no time in taking the opportunity to take advantage of vulnerable users. In this particular scheme, spammers sent email messages with an .SWF file embedded in a .PDF file attachment. Opening the attached file executes the .SWF file, which, in turn, results in exploitation of the Adobe Flash Player vulnerability.
Figure 1. Adobe Flash Player vulnerability exploit infection diagram
The vulnerability currently exists in 10.0.x and 9.0.x versions of Flash, including the current version (10.0.45.2). Furthermore, authplay.dll or the vulnerable component is also used by Adobe’s PDF products. Consequently, both Acrobat and Reader 9.3.2 and earlier versions that belong to the 9.x family are also affected. Acrobat and Reader 8.x versions are not affected.
Opening Doors to Malware
Vulnerability exploits typically lead not just to one malware infection but to several infections at the same time. In this attack, Trend Micro detects malicious files exploiting the vulnerability as TROJ_PIDIEF.WX. Once installed on a system, the Trojan connects to a malicious website to download a file detected as TROJ_SMALL.WJX, which, in turn drops a file detected as BKDR_PDFKA.W.
The backdoor leaves users susceptible not just to information theft but to involvement in cybercriminals’ money-making schemes as well because of its routines. More specifically, BKDR_PDFKA.W collects system information such as installed applications and IP configurations. It is likewise capable of downloading files from the Web and executing these on an affected system. As a result, the compromised machine can be used for pay-per-install (PPI) schemes that cybercriminals often use to spread malware and to build botnets.
User Risks and Exposure
Given the speed by which cybercriminals exploit vulnerabilities, users are constantly victims in the making. It does not help either that patching systems is both a tiresome and time-consuming task for small businesses but even more so for enterprises that need to manage several systems.
In this attack, users face the added challenge of dealing with several vulnerable applications at once. Since the malicious files exploit vulnerabilities in Adobe Flash Player, Acrobat, and Reader, users should be sure to patch all these applications and make sure they do not leave any of them vulnerable.
In the end, it is still best to enable automatic updates whenever possible and to ensure that systems are consistently updated with the latest vendor-released patches. Since the threats in this attack arrive via spammed messages, users are likewise advised to practice discretion when opening email messages and when downloading and executing file attachments. Users should always be on the lookout for unsolicited email messages, dubious-sounding senders, and meaningless salad words. Such messages should be immediately deleted since spammers sometimes utilize invisible links that can inadvertently lead users to malicious websites.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ is a cloud-client content security infrastructure that automatically blocks threats before they reach you. A global network of threat intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grows, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall protection against data breaches, damage to business reputation, and loss of productivity.
In this attack, Smart Protection Network’s email reputation service blocks all emails related to this spam run. File reputation service detects and prevents the download of malicious files detected as TROJ_PIDIEF.WX, TROJ_SMALL.WJX, and BKDR_PDFKA.W. The Web reputation service likewise prevents access to the malicious sites.
Users are also advised to upgrade to the latest Flash Player version, which Adobe has announced in this security bulletin. Meanwhile, updates for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh, and Unix are expected to be released by June 29, 2010. As a workaround, users can manually delete the vulnerable component, authplay.dll. However, when this is done, all Flash contents within .PDF files cannot be opened. Users may see a crash or error message but this will not trigger the exploit.