New Adobe exploit comes with digitally signed code

by Steve Ragan - Dec 16 2009, 15:00

There is a decent amount of talk about the new vulnerability being actively exploited on Adobe’s platform, but only rare mentions of the payload. Along with the exploitation of the JavaScript function inside Reader itself, the payload consists of three files that at first glance are digitally signed with a security certificate issued by Microsoft.

The Adobe vulnerability was discovered on December 11, and if exploited, allows the attacker to run code on the victim’s computer. Testing has confirmed that attacks will work against Acrobat and Acrobat Reader version 9 and earlier. According to The Shadowserver Foundation, the vulnerability is actually in a JavaScript function within Adobe’s code. In addition to that, “…the vulnerable JavaScript is obfuscated inside a zlib stream making universal detection and intrusion detection signatures much more difficult.”

While the Internet in general picked up on the Zero-Day Adobe flaw and spread what little details were known over the weekend, what wasn’t given much attention was the payload associated with some of the confirmed attacks.

The payload serves up three files, which upon inspection look like Windows system files. The system files, according to security vendor Webroot, are crafted to look legit, even down to the digital signature from Microsoft on the security certificate. The fake signature is shipped with two of the three payload files. (LNETCPL.exe and LNETCPL.dll)

“One giveaway is that the sheet identifies the signer as Microsoft but lacks both an email address and a time stamp. Legitimate system files digitally signed by Microsoft identify the signer as Microsoft Corporation and always have a time stamp. The bogus signatures are identified as invalid, but only when you click the Details button on the Properties Sheet’s Digital Signatures tab,” Webroot’s Andrew Brandt wrote.

For those who are curious, a file legitimately signed by Microsoft will be issued by the Microsoft Code signing PCA, and has a countersignature from VeriSign. Brandt noted that the files delivered with the Adobe exploit are missing the countersignature. Moreover, the criminals may be using Microsoft’s Certificate Creation tool to create the fakes. The tool, freely available from Microsoft, generates X.509 certificates that are to be used for testing purposes only.

“While we’ve seen a number of digitally signed files come through our research queue over the years, authors of Trojan horse apps rarely go to the trouble of digitally signing files in this way. It’s not clear why they would be digitally signing files, but clearly the person or people behind this are up to no good,” added Brandt.

There is no patch available and Adobe is aware of the vulnerability. Unless patched out of cycle, the next window of updates from Adobe is in January, but there is no word if a fix for this bug will be included.

For now, the only advice is to disable JavaScript.

Around the Web