Threat behavior
Exploit:Win32/Pdfheap.A is the detection for a malicious Portable Document Format (PDF) file that attempts to exploit the vulnerability described in
CVE-2009-1862.
Installation
This exploit could be encountered when viewing a malicious webpage or when opening a malicious PDF file attached to an email message.
In the wild, this exploit was observed to be delivered via a malicious JavaScript. The script dropped the following files:
Payload
Execution of arbitrary code
The vulnerability affects Adobe Reader and Acrobat versions 9.1.2 and earlier, and Adobe Flash Player 9.0.159.0 earlier and 10.0.22.87 and earlier. It is caused by the mishandling of Shockwave (SWF) files within a PDF file, and may allow a remote attacker to execute arbitrary code, including downloading and executing malware.
In the wild, this exploit was observed being used to install and run the following file:
When this file is executed, it copies itself to the <system folder> with the same file name as the copy that was executed. The registry is modified to run the copy at each Windows start as in this example:
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{443BCC10-CU1C-76dd-863C-BC2CC0309304}
Sets value: "StubPath"
To data: "<system folder>\SUCHOST.EXE -s"
The dropped malware is then executed. In the above example, Backdoor:Win32/Swamiss.A drops the following files:
Analysis by Rex Plantado
Prevention
