On Tuesday, February 12, FireEye Malware Intelligence Lab released a blog post detailing a zero-day exploit that they discovered is currently being exploited in the wild. Adobe released their own blog post in response, though they provided even fewer details than FireEye had in their post.
Though details released by Adobe have been scant at best, they did release this security advisory, and a separate analysis performed by Sophos outlined the specifics of the vulnerability in pleasing detail.
The exploit is suspected to begin with a targeted e-mail containing links to an infected system. This system attempts to exploit an Adobe Flash vulnerability in Mozilla Firefox. However, without direct intervention by the researchers at Sophos, the exploit would not successfully carry out. Once the researchers were able to infect their system, they were able to deduce that the malware drops one malicious .DLL file and two malicious .TXT scripts into the victim’s Flash directory. These scripts execute the .DLL file, which contains a malicious .EXE program. The .EXE is the malware itself, which then copies itself into the system’s Startup folder, allowing it to exist persistently. At this point, the malware attempts to connect to a particular Command-and-Control server and carries out one of several functions: gather system inventory and uploads it, take screenshots and uploads them, or download updated malware code.
Recognized as Troj/FSBSpy-A or Troj/FSBSpy-B by Sophos products, the exploit is not believed to be complete, as is evidenced by non-referenced variables and comments in the program’s code, as well as .PDB (database files used during the debugging process) files still packaged into the malware.
In anticipation of future in-the-wild appearances of this exploit, users can take certain measures to protect themselves. For Windows users, an upgrade to Adobe XI is in order, as is enabling “Protected Mode” via the program’s enhanced security preferences. Macintosh and Linux users, however, are not as lucky. For those operating systems, you’ll want to change the default .PDF file reader to something other than Adobe, at least until a proper patch is released to address the issue.
As always, be cautious of unsolicited e-mails and their attachments. No matter how enticing their contents may seem, they will almost certainly lead to pain and frustration in the end.