McAfee has cited what it termed, ‘another zero-day attack targeting Adobe Acrobat Reader,’ that can infiltrate customer networks.
According to McAfee’s blog, the currently unpatched exploit opens the door to code execution when a user simply reads a malicious PDF document.
McAfee said this code is embedded as a malformed and escaped sequence of hex bytes.
‘After loading it into a disassembler, we can see that the unescaped executable code is stage one of a two-stage attack. The intent of stage one is to identify the open file handle of the malicious PDF to find a particular signature (which is called an egg by exploit writers). This signature (0×0A666F65 in this example) is immediately followed by stage two of the shellcode and is then branched into,’ notes the blog.
The blog also features a screenshot of the PDF’s embedded egg, followed by x86 machine code, part of stage 2. McAfee notes, ‘The code contains another obfuscation layer, namely a routine that XOR decodes the remaining code and unveils an embedded executable.’
For full information users can go to the blog here.