Targeted attacks using malicious PDF files

Published: 2008-04-24
Last Updated: 2008-04-24 18:22:15 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Dating back to the end of February, we have been tracking test runs of malicious PDF messages to very specific targets. These PDF files exploit the recent vulnerability CVE-2008-0655.

Ever since the end of March, beginning of April, the amount of samples seen in the wild has significantly increased. Interestingly enough, there is almost no "public, widespread" exploitation. All reports are limited to very specific, targeted attacks. However, due to the wide scope of these attacks, and the number of targets we know of, we feel a diary entry was in order.

At this point in time, we are receiving more PDF samples from targeted attack victims per day than any other common file type (DOC, CHM, PPT). The threat agents, or attackers, are the same. They are just moving from other file types towards PDF, but are generally using the same control servers and similar backdoor families.

The files contain:
- an embedded trojan installer;
- a clean PDF file.

Once the file is opened in a vulnerable Acrobat Reader version, the backdoor will install, and the clean PDF file is opened in the user's browser. From a user experience, there are two possible methods of detection:

- If the file is opened in a patched Acrobat Reader, an error will be displayed that the file is corrupted;
- If the file is opened in a vulnerable Acrobat Reader, the user will see Acrobat Reader close and immediately reopen the valid PDF document.

Anti virus detection of these samples is usually very low heuristically. The below are detection results from a malicious PDF which had not been reported to an AV vendor yet. Note that these results vary per file. We're not listing MD5 hashes or file names due to the sheer number of samples we've seen so far.

AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HTML/Shellcode.Gen
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 Exploit.Shellcode.J
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 -
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26.0 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 -
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 Exploit:Win32/ShellCode.C
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 -
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 Mal/JSShell-B
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 Script.Shellcode.Gen

The embedded dropper is generally specifically written for the occasion:

AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HEUR/Malware
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 -
AVG 7.5.0.516 2008.04.19 -
BitDefender 7.2 2008.04.20 -
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 -
DrWeb 4.44.0.09170 2008.04.19 -
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan-Spy.Win32.Agent.bzq
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 -
Kaspersky 7.0.0.125 2008.04.20 Trojan-Spy.Win32.Agent.bzq
McAfee 5277 2008.04.18 -
Microsoft 1.3408 2008.04.20 -
NOD32v2 3041 2008.04.19 -
Norman 5.80.02 2008.04.18 W32/Agent.FEOU
Panda 9.0.0.4 2008.04.19 -
Prevx1 V2 2008.04.20 -
Rising 20.40.62.00 2008.04.20 -
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 -
Webwasher-Gateway 6.6.2 2008.04.18 Heuristic.Malware

Acrobat Reader is proving to be an interesting target because users are not very much inclined to upgrade manually. The file format is relatively stable and users of Acrobat Reader 7 may not always feel a need to upgrade.

As such, we strongly recommend that you:

- Ensure your Acrobat Reader installations have been upgraded to version 8.1.2;
- Disable Javascript parsing through Edit>Preferences>Javascript, by disabling the 'Enable Acrobat JavaScript' option.

Naturally we greatly appreciate any additional information you can provide on attacks you feel may be related to this exploit. Additional amples especially are always welcome.

Cheers,
Maarten

0 comment(s)

Comments


Diary Archives