In our last post we shared our initial analysis of the malware that is installed as a result of the PDF found in the wild that exploits the then-zero-day vulnerabilities, CVE-2013-0640 and CVE-2013-0641. Today we are sharing more details about this new malware, which we have dubbed "666." The following is not a complete analysis, but outlines some of the main functionality and its interesting features.

[Update: February 13, 2013] We have found IE, Java, and Flash zero-days in a row in the past several months, and now it's PDF’s turn. Today, we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1.

Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.

[Update: February 12, 2013] By now you have probably heard of the new zero-day exploit in Adobe flash that was patched today. FireEye Labs identified the exploit in the wild on February 5, 2013, which based on the compile time and document creation time is the same day the malicious payload was generated. Adobe PSIRT has released information about this threat here. They have also released an advisory with details on versions and platforms affected along with applicable patches. The two exploits have been assigned CVE-2013-0633 and CVE-2013-0634. It is highly recommended that you apply this patch right away, as this threat is active in the wild.

We observed that a Java security bypass zero-day vulnerability (CVE-2013-0422) has been actively exploited in the wild starting Jan. 2. We have been able to reproduce the attack in-house with the latest Java 7 update (Java 7 update 10) on Windows.

We initially wanted to hold off on posting this blog entry until we received confirmation from Oracle; however, since other researchers are starting to blog on this issue, we have decided to release our summary. We will continue our research and continue to share more information.

[Updated on December 30, 2012] On December 27, we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26. Through our Malware Protection Cloud, we can confirm that the website was compromised at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21—right before a major U.S. holiday.

Pretty much everyone is aware of the BlackHole toolkit. We previously wrote a blog that compared the prevalence of various toolkits.

At FireEye, we trigger on thousands of BlackHole events every day across our customer base. We have recently seen reports that the toolkit has been updated. The following website gives you good details about what features have been included in the new toolkit: http://malware.dontneedcoffee.com/2012/09/blackhole2.0.html.

We immediately started looking through the FireEye Malware Protection Cloud (MPC) to see if the FireEye Virtual Execution engine in our appliances had seen instances of this new toolkit. (The FireEye Virtual Execution engine is our proprietary virtual machine technology that enables us to detect threats that have never before been seen.) Websense reported finding URLs in their blog, and we found a bunch of URLs—the earliest of which was detected on September 3, 2012.

Target and Delivery Method

Malware Page employs the vulnerability in PDFs and has been seen to be delivered via email. Agenda_Web_(8-24-12).pdf is one of the names this malicious sample uses. Per our logs this sample has been seen to target the aviation defense industry, making this malware a critical limited edition threat. When the malicious PDF file is opened, it infects the victim’s machine and a decoy document is generated. When the decoy PDF file is opened in Acrobat Reader, as shown in Figure 1, the victim finds an invitation to an actual defense industry event.

Figure 1. Contents of the decoy PDF file

The purpose of this blog is to share the technical details about this critical limited edition malware.

A few days ago I talked about the existence of a new java zero-day flaw (CVE-2012-4681). Soon after the publication of my blog, the white-hats kicked in and there was Proof Of Concept (POC) code ready overnight. At this point, a major outbreak was inevitable. We soon came to know that the master mind behind the Blackhole exploit kit has plans to add this zero-day to his package. This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly. After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands.

The recent Adobe Flash 0 Day (CVE-2011-2110) is a classic case of an old malware that has used new 0 days as a vector to spread itself. How and why I will explain shortly, first a little detail about the exploit itself. The exploit is targeting a vulnerability in the Action Script Virtual machine according to our good friends at Shadowserver. The swf file takes an info parameter and a successful exploitation leads to the download of a zlib compressed and xor encoded binary. The two GET requests in succession would look like this

Have you ever wondered how malware spreads, why there are so many compromised machines out there talking back to their CnC's? There must be a medium, a vehicle if you may, to get a Zeus, a Rogue AV, a Rustock (not anymore :)) or any new malware onto a box. Have you ever wondered what this vehicle could be? If you answered exploits, then your answer is right. Exploits, Pay Per Installs, Social Engineering are the main vectors to get malware on a machine. Exploit Tool kits are like point and click tools that use these exploits to make life easy for a hacker. At FireEye Labs, we continuously monitor the latest threats and exploit toolkits. One such toolkit that has come to our attention is the Incognito Toolkit. In the year 2011 we have noticed a sudden surge in our Incognito detections. This blog attempts to explain why this toolkit is so hard to detect, the obfuscation techniques it uses to the kind of malware it drops.Though not as widespread as the Blackhole Toolkit, this toolkit looks like it is here to make a mark.

Without further delay lets get into the finer workings of this Toolkit.  Let's see what happens once a user clicks on a malicious Incognito link.

The initial GET reuquest gets a heavily obfuscated HTML page, the initial GET request looks like