The zero day attack exploits the CVE-2009-4324 vulnerability, which was first confirmed by Adobe on December 15, and for which no patch is yet available.
CVE-2009-4324 is a vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat that lets attackers execute arbitrary code via a malicious PDF file. The SANS Institute analyzed a malicious PDF sent to it by a reader, implementing the zero-day attack, and found that only six out of 40 antivirus vendors detected the exploit.
The PDF implementing the zero-day attack uses two pieces of shell code to help avoid detection. The first uses an 'egg hunting' technique to look for a specific set of instructions in memory that can be used to pass execution to a second piece of shell code, which is included as a separate binary object in the PDF document.
The two-stage attack carries a dual benefit for the implementer of the zero-day exploit, explained SANS researcher Bojan Zdrnja. Firstly, it enables the attacker to change the second shell code without altering the first. "Additionally, this will make automatic analysis impossible for any tool using a JavaScript interpreter on the included JavaScript code," he said. This is because the document has to be loaded in memory for the first stage of shell code to work.
The second stage shell code included in the zero-day attack installs the PoisonIvy client, a remote administration utility that will give attackers a back door into the compromised machine. It also attempts to cover its tracks by opening a benign PDF on the victim's machine, to hide the fact that it has crashed Adobe Reader.
Adobe has pledged to patch the vulnerability on January 12th, giving the zero-day attack at least another week to spread -- and probably far longer, if users do not update their systems.
Turning off JavaScript would be one way to avoid the attack, but according to an interview conducted by ThreatPost, Adobe security chief Brad Arkin advises users to think carefully before disabling the functionality. "If you were to disable JavaScript altogether, that would disrupt a lot of things," he said.