An analysis of the exploit by the SANS Internet Storm Center shows that the attack is quite different from other PDF-based exploits in a number of important ways. Like many previous attacks, this newest exploit uses heap spraying in order to get the application to execute its two-stage shellcode. But that’s essentially where the similarities end.
Now comes the interesting part. This is an egg-hunting shellcode: it
starts at the memory address ((0x02020200 OR 0xFF) + 0x01) =
0x02020300) and compares content of every 4 bytes with 0x58905090. You
can see that initially the attacker moves 0x5890508F into the EAX
register, which then gets increased by one – this was probably done to
This pattern (0x58905090) corresponds to instructions POP EAX, NOP,
PUSH EAX, NOP. Now, once this pattern has been identified in memory,
the egg-hunting shellcode passes execution to this, second stage
What is interesting about this approach is that the second stage
shellcode is included as a different object in the PDF document. While
the object is marked as a color object and its contents are inflated,
it looks as if it is corrupted: it does not contain any inflated
The code then attempts to decompress the streams, which fails, but the Adobe application will execute the code anyway and open all of it into memory, the SANS analysis shows. The malicious PDF document used in this attack includes two separate binaries, the first of which installs a copy of the old PoisonIvy backdoor. It tries to connect to a remote C&C server, which is apparently offline right now.
The second binary does something odd: It saves a harmless PDF on the user’s machine, perhaps as a way of distracting the user from the rest of the exploit behavior.
The vulnerability that this attack exploits has not been patched yet. Adobe is scheduled to publish a fix for it on Jan. 12.