lunedì 19 dicembre 2011

Brandon Dixon - CVE-2011-2462 exploitation: a real case

This summer I saw an interesting news item about a new online security tool: PDF X-RAY. This tool seemed to me so important that immediately I decided to write a post to describe its potentiality and use. I was also interested about the author of the tool, Brandon Dixon, a researcher from George Washington University, so I decided to write him an email.

Here, another nice find. Brandon is very helpful and informal. A guy with whom is a pleasure to interact.

Inviting him to write a guest post for "Punto 1" was the next step so Brandon and I agreed that whenever an occasion turns up he would write a post for my blog.

Then, two week ago I read that Brandon has published an analysis of the new 0day vulnerability of Adobe Reader I knew that the right time had arrived. Last Friday, Adobe released a patch for this vulnerability and knowing the reasons why it is important to organize the complex deployment of this piece of software is fundamental.

Brandon, thank you very much to accept my invitation. This is the moment to present your work to the "Punto 1" readers.

On December 7th, 2011 a suspicious file was uploaded to PDF X-RAY containing references to U3D content. Normally this would not constitute more analysis, but Adobe had released an advisory documenting a new vulnerability within U3D content that was actively being exploited.

Using PDF X-RAY, I was able to identify both the trigger U3D object (located in object 10) and the heap spray (located in object 15). Reading through the specification revealed how the 3D content would be executed and what actions would be performed.

After the initial static analysis, the PDF was ran on a Windows XP SP3 machine running Adobe Reader 9.4.6 to identify any dropped files or command and control servers. Upon running the PDF file, Adobe Reader crashed and opened up a clean document that appeared to target employees of the defense contractor Mantech.

Not only was a clean file dropped, but there was also an executable named “pretty.exe” created and ran on the system. VirusTotal identified this file with generic signatures and a reference to “sykipot”. This Trojan had been analyzed before and public data revealed how it would operate. Knowing these details, Internet Explorer was started and the system was set to wait until data was sent back to the command and control server.

Sykipot injected a process into Internet Explorer and made a request to “” to get what appeared to be a key for encryption/decryption purposes. Matthew Wollenweber analyzed the Trojan using a debugger and disassembler to identify any other process injections and the commands used for the control servers.

After identifying the trojan being dropped and the command and control servers, focused was placed on the generation of the malicious file. Several strings within the generated document matched a proof-of-concept exploit from back in 2009. This proof-of-concept written by Felipe Manzano appeared to be the main generator used to create the malicious documents.

Shortly after the advisory was released, another variant of the exploit was seen being used in targeted attacks. These documents were encrypted with AESV3 and appeared to be generated using Adobe Lifecycle. While these documents exploited the same vulnerability, they were more successful in bypassing anti-virus because of the AESV3 encryption.

Performing analysis on the encrypted document also revealed a different Trojan being dropped on the system. Virustotal was not able to identify a particular trojan family associated with this executable, but HTTPS connections could be seen being made to It is unclear what, if anything was sent to this command and control server, but it did appear offline.

It should be noted that the encrypted documents appeared to target defense contractor Lockheed Martin and farming company Monsanto. Given the extreme differences in document structure and trojan dropper, it is likely two different groups were involved in the use of these zero day exploits. Several signs point back to China as the creator of these documents, but this can not be confirmed.

Beside being the Founder and CEO of 9b+, the company that owns PDF X-RAY, Brandon Dixon is also "Computer Forensics and Security Engineer with George Washington University". Moreover he is contributing to Hakin9 as Tester, Writer and Promoter.

Here you can find his LinkedIn profile

Nessun commento:

Posta un commento