While analysing the latest malicious PDF exploit documents, we found the embedded shellcode to have some interesting features. The shellcode gets executed once the exploit was successful.

The server the shellcode connects to sits in China.

The payload of the PDF is contacting a server in China – so far nothing uncommon here. The connected system belongs to the network of the cinese CHINA RAILWAY TELECOMMUNICATIONS CENTER. Very unusual though is the port which gets used for communicating with the command and control server – it’s port 220, which should be used by the IMAPv3 protocol. The protocol used seems to be proprietary and zlib compressed.

An unusual port gets used for communication with the command and control server.

There it downloads further malware. Among the malware we have seen is for example BDS/Agent.adsi, a Backdoor. It gets installed in the windows system directory.

As long as Adobe is working on the patch for this security vulnerability, make sure to disable JavaScript support in Adobe Reader and in Acrobat; also use an up-to-date antivirus software like Avira AntiVir. Avira AntiVir detects the known malicious PDF files and the downloaded malware. We plan to release a heuristics update today which will detect even more malicious PDF files, also yet unknown ones.

Dirk Knop
Technical Editor