http://blog.commtouch.com/cafe/malware/complex-pdf-hides-malware-inside-xfa- which-is-inside-png-%E2%80%93-not-an-image/
Complex - PDF hides Malware inside XFA which is inside PNG - not an image April 6th, 2011 by Lordian Mosuela <http://blog.commtouch.com/cafe/author/lordian/> | Category: Antivirus <http://blog.commtouch.com/cafe/category/antivirus/> , malware <http://blog.commtouch.com/cafe/category/malware/> | View Comments <http://blog.commtouch.com/cafe/malware/complex-pdf-hides-malware-inside-xfa -which-is-inside-png-%e2%80%93-not-an-image/#respond> We recently received an email supposedly from Puremobile - a supplier of unlocked cellphones. Similar emails were also received with "order info" from Bobijou (a costume jewelry designer). The "order confirmation" included a PDF file as shown below. <http://blog.commtouch.com/cafe/wp-content/uploads/Complex-pdf-fake-email-fr om-puremobile.jpg> cid:[email protected] Our initial analysis of the file found no Javascript. No JavaScript? This was unexpected since most PDF malware includes JavaScript. The only strange stream data that could possibly hide the exploit was the embedded PNG encoded data. PNG is usually used for image encoding - normally the decoding process would reveal an image - but not in this case. We used a decompression tool to decode the PNG data and found an XFA <http://en.wikipedia.org/wiki/XFA> form. XFA forms allow electronic form management using PDFs. This XFA form however included obfuscated JavaScript inside (see image below). <http://blog.commtouch.com/cafe/wp-content/uploads/Complex-pdf-unencoded-PNG .jpg> cid:[email protected] The execution of the script found above results in the exploitation of the CVE-2010-0188 vulnerability <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188> (libTiff overflow). We detect this malware as "PDF/Obfusc.Q!Camelot". Once installed, the code download and executes other malware. Since this is a known exploit, the latest versions of Adobe Reader include protection. To summarize: PDF file - PNG image - not a PNG image - decodes to reveal an XFA form - includes Javascript - Javascript exploits vulnerability - etc. If you opened this file your reader would crash and execute the malware. When opened with an updated reader or a reader with Javascript disabled we see the following (uninteresting) file: <http://blog.commtouch.com/cafe/wp-content/uploads/Complex-pdf-boring-file.j pg> cid:[email protected] Protecting against PDF malware We recommend downloading the latest version of Adobe Reader <http://get.adobe.com/reader/> to protect your system from this threat. The risk from this exploit can be reduced by disabling the Javascript feature in Adobe Reader. This is done as follows: 1. In Reader select Edit -> Preferences 2. Select the JavaScript Category 3. Uncheck the "Enable Acrobat JavaScript" Option 4. Click OK. <http://blog.commtouch.com/cafe/wp-content/uploads/Protecting-against-PDF-Ja vascript-malware.jpg> cid:[email protected] <http://blog.commtouch.com/cafe/malware/complex-pdf-hides-malware-inside-xfa -which-is-inside-png-%E2%80%93-not-an-image/> [Non-text portions of this message have been removed] ------------------------------------ -------------------------- Want to discuss this topic? Head on over to our discussion list, [email protected]. -------------------------- Brooks Isoldi, editor [email protected] http://www.intellnet.org Post message: [email protected] Subscribe: [email protected] Unsubscribe: [email protected] *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtmlYahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/osint/join (Yahoo! ID required) <*> To change settings via email: [email protected] [email protected] <*> To unsubscribe from this group, send an email to: [email protected] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
