With more than a week until Adobe is scheduled to patch a critical vulnerability in its Reader and Acrobat applications, online thugs are targeting it with an unusually sophisticated attack.
The PDF file uses what’s known as egg-hunting shellcode to compress the first phase of the malicious payload into 38 bytes, a tiny size that’s designed to thwart anti-virus detection. As a result, just four of the 41 major AV programs detect the attack more than six days after the exploit surfaced, according to this analysis from Virus Total.
The shellcode then loads an obfuscated binary file contained in the PDF file that installs PoisonIvy, a backdoor client used to maintain control over infected PCs.
“Not only was this a very interesting example of a malicious PDF document carrying a sophisticated ‘war head,’ but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims,” wrote Bojan Zdrnja, a Sans handler who analyzed the exploit.