• Analyzing CVE-2011-2462 0-Day: Part2

    by  • December 10, 2011 • Uncategorized

    Introduction

    On December 7th, Brandon provided his analysis of a malicious PDF (MD5: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9) which utilized an Adobe Reader 0day (leveraging a U3D vulnerability). After successful exploitation the PDF drops a windows executable (MD5: E769A920B12D019679C43A9A4C0D7E2C). The file named pretty.exe, then drops DLL_101 (MD5: BA7793845FE2A02187263A96E8DAAEC6) which is stored as a resource in pretty.exe.

    Analysis

    Symantec posted a blog that well describes the threat. In this post we provide additional detail specific to the executables delivered from the initial PDF.

    Dropper:

    The attacking PDF extracts and executes an initial dropper as ctfmon.exe and then renames it to pretty.exe. The purpose of this executable is extract another executable (stored as a resource) and inject it into other processes.

    As you can see, the language set appears to be Chinese.

    Files

    Original files:

    http://www.mediafire.com/?nqnw5bv8zc4fxtv

    The decompiled source code (thanks to IDA and HexRays) is available here:

    http://9bplus.com/files/pretty.c

    http://9bplus.com/files/dll-101.c

    No guarantess on the accuracy of the analysis – it was done quickly and in “spare” time.

     

    About