Broken Exploit? Not So Fast
Attackers don’t always get it right. Many times, their attempts to exploit a program or a computer system go awry. The result: A crash.
So, when Bojan Zdrnja, a Croatia-based handler for SANS Internet Storm Center, looked at a PDF document submitted to the volunteer group of security experts, he didn’t think it odd that it merely seemed to crash Adobe’s Acrobat Reader. To Zdrnja, the document clearly had been altered, but not in a way that could have exploited Acrobat or the operating system.
“Initially, it seemed that it was broken,” he says. “So I put it aside and replied that the code was corrupted.”
Yet, Zdrnja couldn’t let it rest. A couple hours later, he was back at his computer doing further analysis on the document. His findings surprised him.
What he had taken for a broken piece of code was actually one of the smallest programs — or “shellcode” to security researchers and hackers — that he had ever come across. The code had only 38 bytes — fewer than this sentence. Yet, it successfully exploited a critical vulnerability patched by Adobe only two weeks ago.
The malicious PDF file contained an exploit for a two-week-old vulnerability in Adobe Acrobat and totaled only 38 bytes. (Source: SANS Internet Storm Center)
It took a lot more analysis to actually track down what the attacker was doing. Most attacks, once they exploit a system, copy files to a compromised computer’s hard drive. Every time the system is rebooted, the program runs, allowing the attacker to retain surreptitious control of the system.
This attack instead only loaded two binary files, or executables: One unpacked a small portable document format (PDF) file, restarted Adobe — which the exploit causes to crash — and opened up the file. The other binary was a malicious trojan, known as Poison Ivy, which was loaded into the system’s memory. The trojan would only run once, connect to a server on the Internet, and execute commands. Once the computer restarted, it was gone unless the user reopened the original file.
“It just runs it once,” says Zdrnja. “It doesn’t even install it on the machine.”
There are currently few defenses against the exploit code. When Zdrnja first analyzed the program two days ago, only six of 41 antivirus engines detected the exploit, he says. On Monday, security firms had only slightly bettered their results: Eight out of 41 engines flagged the file as malicious, according to VirusTotal.
There are few clues as to the source of the file. Telltale Chinese characters suggest that the document in which the exploit code was embedded was created on a Chinese system, Zdrnja says. Poison Ivy is a popular Trojan used by Chinese hackers and most notably formed the backbone of the GhostNet cyber espionage network. (My previous reporting on GhostNet can be found at SecurityFocus.)
However, other than those signs, the attackers left few digital tracks. Zdrnja wasn’t even able to connect to the attacker’s server at the address hardcoded into the program. The attackers could have shut it down after getting the information they wanted, or it may never have gone live, he says.
“It was down the first time I tried to analyze the document,” he says. “They may have sent (the trojan) to the target, and if it was a targeted attack, shut the server down soon afterward.”
