Google, spammers and a malicious PDF
Posted: June 12th, 2010 | Author: Matt | Filed under: InfoSec, Research | Tags: google, pdf, Research, security | 2 Comments »How it all began.
Today I was trawling through my Gmail spam folder like a good little mail monkey when I came across a rather strange bit of spam. Usually you just get rubbish about making your manhood the size of a small country or the latest twitter/gmail support/facebook AV malware. Most of the time I just ignore the messages due to them being very boring and not really worth a coffee and a few hours in Terminal…
Today’s message was a little different. It was a very simple email with the subject line “New Resume” and one line in the body of the email saying “Please review my CV, Thank You!“. So, seeing as I have NO idea who the sender was and that there are no issues with the PDF format that I know of, I saved the PDF document to my desktop as I had a virtual machine I just knew the PDF would love immediately.
For what it’s worth, the email originated out of Korea / 121.50.250.98
Red Flag Number One
(As if a PDF document from an unknown person on your spam folder isn’t enough)
Before that though I fired up pdfid.py from @DidierStevens which told me there were two “OpenAction” items in the document (these turned out to be the Launch action type). So we know there are at least two possible malicious elements to this document. Next I fired up Vim (because I’m a die hard vim fan and would use it as a vehicle to get to the moon if I could). A quick scan of the document came up with a number of things I’d like to look into later:
- /URI(mailto:a@foo.be)
- /URI(http://www.foo.be/)
Note: I thought these first two items were just random noise that the attacker had placed into the document to make it look more legitimate, but as it turns out the document is actually a valid resume of Alexandre Dulaunoy (adulau). There were a couple of other references to Alexandre, I picked up on this one after parsing the document with pdf-parser.py
As it turns out, spammers had picked up his CV through a Google search and simply added the nasty payload to it. Kudos to Alexandre for putting up a message on his home page about the problem shortly after the problem started.
HUGE Red Flag Number Two
Object 81 (pdf-parser.py -f -o 81)
The Launch action type which runs “cmd.exe” with a bunch of VBS scripts should be more than enough evidence that this PDF is out to hurt someone…
Launch Action type
So clearly we have a malicious PDF document that’s using the Launch action to get the payload onto the machine and executed. Didier Stvens wrote Escape From PDF back in March and it’s already been used in the latest iterations of the Zeus bot. It seems someone has picked up on this and is using it in this PDF. What this does is it relies on the user to allow the execution of the Launch (cmd.exe) through a prompt that comes up when you open the PDF document. The attacker has “obfuscated” the output a little as can be seen here:
When the user clicks Open, the Launch action fires off cmd.exe which will then interpret the embedded VBScript files and drop the malicious payloads onto the machine. More on that later..
The funny thing to note here is that if you simply click “Do not open” the malicious code doesn’t execute. That is of course if the user hasn’t checked the box that says “Do not show this message again”…
You can even scroll up on this message window and see all the good stuff going on yourself:
Still, we can’t expect the user to be so savvy as to scroll the scroll button and do a little reading now can we ?
Virtual Machine Abuse.
So we have a PDF document that has malicious content. What do we do now ?
We fire up Vmware with a fairly unpatched version of Windows XP. I ran this PDF through Adobe Reader 8.2 and Foxit Reader 3.2. Foxit didn’t do anything as they have patched against the Launch action type.
Adobe was a slightly different story. While Adobe did prompt me as can be seen in the screenshots above, let’s pretend for a second that I am a normal user and I don’t read dialogs at all. I clicked Open or that I had seen this dialog previously and had checked the little box that says “Do not show this message again”…
Clicking “Open” triggered the Launch action type and dropped vbs1.vbs onto my desktop (I believe this is because the PDF was originally on my desktop). You’ll remember that the vbs1.vbs script was included in the PDF document. Here’s what vbs1.vbs looks like:
I haven’t had much chance to skill up on VBScript yet, but I believe the vbs1.vbs script creates a new file vbs2.vbs from the contents of the PDF document. I will confirm this once I’ve has some time to dig through both scripts a little more. It’s interesting to note that the second VBS file does look like it’s been obfuscated slightly. Either that or it’s just the way the file type is represented. If you have any input on this, please let me know…here’s a portion of vbs2.vbs:
Once the two VBScript files had run, an EXE was dropped onto the desktop which was then executed. I believe this EXE to be included in the PDF document as the output from tcpdump doesn’t show any traffic going out to the Internet to fetch anything. This was the malicious payload. A quick scan with Virus Total shows the executable to be Alureon or something similar. Quite a nasty trojan / DNS changer…I’ve chatted to Alexandre after the incident and he believes the dropper may be pulling different malware down each time it runs. I will probably test this over the weekend if I can find the time and bandwidth to do so.
After the bomb dropped.
So we now have a compromised machine with a trojan executable being run on the machine. I didn’t leave it to run for all that long as it’s probably not a wise thing to do. All of this through a PDF document that was opened on a Windows machine running a fairly old copy of Adobe Reader.
It’s interesting to note that the PDF document only had a detection rate of 31% on Virus Total and a fairly common trojan was used as the payload (80% detection rate on VT). Why not use something a little simpler/quieter/APTier (sorry, I used APT) ? I could be very wrong on this one. Perhaps the dropper does pull down different malware depending on what type of machine it’s run from.
When dealing with PDF documents you HAVE to have two tools by Didier Stevens. pdfid.py to identify the document and it’s contents and pdf-parser.py to do the actual analysis. I also use vim to do a quick scan through the raw PDF.
On the Windows side, I used CaptureBAT to monitor file and registry changes. This just confirmed that cmd.exe was executing and creating the vbs1 and vbs2 files on the local machine.
I also copied the VBScript files and executable off the machine for later analysis. Thankfully AV was triggered during analysis (Microsoft Security Essentials) so we know it works (kind of). But then again, it triggered a little too late if you ask me.
I’m sure there’s a lesson to be learned somewhere in here but I am more concerned with having a cold beer at this point in time.
Thanks to the following people:
Gmail / Alexandre Dulaunoy / Didier Stevens / Mikko hypponen / Barry Irwin
MD5sums:
PDF Document: cff871a36828866de1f42574be016bb8
vbs1.vbs: 7897e6b5f2443d254a5890a28ef88079
vbs2.vbs: 25c926b0ac7285c627a3988f0a8e49d9
exe.exe: 069d17b209ebd4bb0f63365089154dc2
