Posts Tagged ‘PDF’

View All Vulnerabilities

A new Adobe 0-day In the Wild – – But No Worries, You are Already Protected with Our Secure Web Gateway!

By Anat Davidi  •  December 7th, 2011  •   Vulnerabilities

Yesterday Adobe released an advisory for a vulnerability in the Adobe Reader and Adobe Acrobat products. The vulnerability, titled ‘U3D Memory Corruption Vulnerability’ was part of a targeted attack and discovered by Lockheed Martin’s Computer Incident Response Team. This is not the first time a targeted attack has been aimed at the US defense industry.

This attack involves embedding a maliciously crafted Universal 3D (U3D) stream in a PDF file, one of several examples of attacks on embedded streams within PDF files, and represents a growing attack vector due to its ability to deal with defense mechanisms among which DEP and ASLR (two techniques meant to help prevent unauthorized code execution) using known techniques such as JIT Spraying.

According to Adobe’s blog post released alongside the advisory, Adobe is planning to release an update for Adobe Reader 9, the version targeted by this vulnerability, “no later than the week of December 12, 2011″. The rest of its supported versions will receive updates as part of their quarterly updates in January 2012.

M86 Secure Web Gateway, version 9.2 and above, provides zero-day protection against this attack, without requiring any further updates. Customers who wish to monitor the attack in their organization may look for attacks that are tagged with the “Adobe Universal 3D streams” block message.

We’re proud that our proactive rules block this new zero-day exploit and we’ll continue to work hard to provide this level of protection to our customers in the future.

Tags:    |    |    |    |    |    |  

View All Spam

Malicious spam campaign: Credit Card Overdue

By Rodel Mendrez  •  June 30th, 2011  •   Spam

We are currently seeing a large scale malicious spam campaign that claims to be a “Credit Card Overdue” notice. The campaign is originating from one of the Cutwail spambot variants. The theme has no specific credit card brand, possibly because the spammer thought a generic template may entice more victims. The spam message claims the credit card holder has an overdue credit card that needs to be settled in 2 days or else a $25 late fee and finance charge will be imposed.

The malicious application is attached in a zip file disguised as a credit card statement. Extracting the Zip file reveals a Trojan downloader executable file that uses a Adobe PDF icon. When the executable is run it downloads a fake anti-virus executable from the following url:

http://mysteryforyou1[dot]ru/pusk.exe


The fake AV pops up a fake warning.

Fake AV system utility

Spammers are constantly inventing new social engineering themes in an effort to distribute their malware. Targeting credit card holders, especially in this tough economy, is just another theme in their portfolio. The spammers can change their themes over time, and often just recycle old ones. There is enough in this message to cause most people to be suspicious, especially the fact that your credit card company is unlikely to be emailing you in the first place.  So, as usual, be wary.

Tags:    |    |    |    |    |    |  

View All Cybercrime

Phoenix Exploit Kit (2.7) continues to be updated

By Daniel Chechik  •  June 4th, 2011  •   Cybercrime

A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.

Phoenix Exploit’s Kit 2.7 logo

Phoenix Exploit’s Kit 2.7 logo

The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.

Read More

Tags:    |    |    |  

View All Spam

Your Music Order – a loaded PDF

By Phil Hay  •  March 31st, 2011  •   Spam

We are noticing a spam campaign at the moment that purports to be a Music or Cell Phone “Order” with an attached PDF file with the following similar Subject lines:

  • Your Order No 129589 – Warner Music Inc.
  • Your Order No 489889 – Cell Phone Inc.

The attached PDF contains a bunch of obfuscated JavaScript, which attempts to exploit the Adobe getIcon vulnerability (CVE-2009-0927).  If successful, the following payload is downloaded:

hxxp://kawabungashop.ru/flash/1.php

The 1.php file is an executable downloader (VirusTotal Report).  Another piece of malware is then downloaded and installed (VirusTotal Report), which is a spambot that proceeds to spam further copies of the PDF file, as you can see from the template we captured:

These days, PDF files arriving in unexpected emails should be treated with extreme suspicion.  And please be sure to keep your PDF reader meticulously up to date to avoid getting exploited by old vulnerabilities such as this.

Tags:    |    |    |    |    |  

View All Vulnerabilities

Who’s looking for eggs in your PDF?

By Avri Schneider  •  November 18th, 2010  •   Vulnerabilities

At M86 Security Labs, we research various attacks on a daily basis. Some of these attacks originate from malicious PDF files.

One distinctive characteristic of malicious PDF files is a chunk of javascript code performing a heap-spray on the client browser, filling it with NOP (No OPeration) instructions (also acting as a valid heap memory address) – followed by the attacker’s shellcode; then triggering a bug in the PDF reader, which directs the flow of execution to a random memory location on the sprayed heap, executing the NOP sled followed by the shellcode.

While investigating the latest PDF 0day exploit [CVE-2010-4091, Extraexploit, VUPEN, Original Full-Disclosure post] that was published to the Full-Disclosure mailing list, we noticed something interesting – the shellcode part of the malicious javascript code was very tiny:

Here’s a disassembly view of the shellcode:

What we’re seeing is a known shellcode technique called Egghunting, where the shellcode itself is very small (usually free of Null bytes) and it’s sole purpose is to search the memory space of the process for the real shellcode, and on some more advanced versions for one or more parts of the reall shellcode – collect all the pieces together, then execute the found shellcode.

It’s used mainly in types of attack that prevent the attacker from placing a large amount of shellcode at the point where he is able to gain control of code execution, while being able to control data in the memory space of the process yet lacking the exact memory address location of the controllable data.

Notice how the egghunter shellcode uses int 0x2e to call the nt!NtDisplayString kernel function, passing it a pointer to the address to check on the stack (the edx register points to the user-land stack while eax is the System Service Code – an index to the nt!KiServiceTable pointer array, pointing to the nt!NtDisplayString function). You can read more about “How do windows NT system calls really work?” in this great article.

If the memory address is un-mapped in the address space of the process, an access violation will occur and the return value in the eax register will be 0xc0000005 (STATUS_ACCESS_VIOLATION).

The egghunter shellcode compares the low byte of eax to 5, indicating un-mapped memory and increments the address to check on each loop iteration.

Each mapped memory region is searched for the pattern \x90\x50\x90\x58 which translates to:

90 – NOP
50 – PUSH EAX
90 – NOP
58 – POP EAX

- A ‘non-intrusive’ marker (‘NOP’) indicating the beginning of the real shellcode.

Once found – the egghunter jumps to the address and continues execution from there.

As a side-note, this particular sample is not functional – i.e. when the vulnerability is triggered by executing the this.printSept() javascript code, the egghunter shellcode is never executed – crashing the browser.

It would nevertheless be interesting to see were egg-hunting exploits do decide to place the real shellcode in future PDF attacks.

Tags:    |    |    |    |    |  

View All Spam

PDF Reader Upgrade Scam

By Gavin Neale  •  October 20th, 2010  •   Spam

Over the past few days our spam traps have been receiving emails that claim to be from Adobe notifying the recipient of a software upgrade for Adobe Acrobat reader. Links in the e-mails direct the recipient to a different product, PDF 2010, which you have  to pay for to download

We have seen these scam emails with the following subjects:

Action Required : Upgrade Your New PDF Acrobat Reader
Action Required : Download Your New Adobe Acrobat Reader
Action Required :Active Your New Adobe PDF Reader

Scam e-mail message

We have seen the following domains in similar messages:

adobe-software-upgrade . com

adobe-software-2010 . com

adobe-software-download . com

adobe-acrobat-software . com

adobe-acrobat-sofware . com

These domains all redirect to pdf-new-2010-download.com, shown below, which looks nothing like the Adobe Acrobat web page. In fact the scammer is just using Adobe’s brand to attract more customers.

Read More

Tags:    |    |    |    |  

View All Spam

PDF ‘Launch’ Feature Used to Install Zeus

By Gavin Neale  •  April 15th, 2010  •   Spam

Today we began seeing emails, like the one shown below, claiming to be from Royal Mail with an attached PDF file.

This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file.

This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot. The image below shows part of this attachment within the PDF file, the start of the executable file is shown decompressed, in the red box.

The PDF uses the JavaScript function exportDataOject, shown below, to save a copy of the attachment to the user’s PC.

When this PDF is opened In Adobe Reader with JavaScript enabled, the exportDataOject function causes a dialog box to be displayed asking the user to “Specify a file to extract to”. The default file is the name of the attachment, Royal_Mail_Delivery_Notice.pdf. This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder.

Once the exportDataOject function has completed, the Launch action is run. The Launch action is used to execute the Windows command interpreter (cmd.exe) and is given a command line to execute.

This command line searches for the previously saved Royal_Mail_Delivery_Notice.pdf file in some commonly used folders such as My Documents and Desktop and then tries to run the file. (Remember that this is actually the executable file). Adobe Reader will pop up the box shown below and the command will only be run it the user clicks ‘Open’. The latest version of Foxit reader (released April 1st) will display a similar warning, older versions will go ahead and execute the command without asking.

If this command if successfully run, the Zeus data stealing bot is installed. Although having the latest versions of Foxit and Adobe reader will not protect you entirely from this feature, they do offer configuration settings and warnings before any program is launched. In Adobe reader you can disable the opening of non-PDF attachments using the trust manager in the preferences menu. You can also disable JavaScript in both readers to mitigate the impact of this and many other vulnerabilities.

MailMarshal users with the Block Executable rule enabled will be protected from PDF attachments with executable attachments. SpamCensor version 431 and KnownThreats version 26 both protect MailMarshal users from PDFs using this Launch action and Executable attachment feature.

Tags:    |    |    |