We have seen the Internet Storm Center posts part 1, part 2 and part 3 providing us details on the Acrobat Reader exploitation of this last week. The payload is a Javascript object embedded in the PDF document. After de-obfuscation, the exploit code looks like:
var nm = 12;This was enough to fool a lot of Antivirus vendors. Detection got a little better after a few days, but then the attackers updated the attack once again, resulting in 0% detection by AV scanners (source: ISC).
for(i = 0; i < 18; i++){ nm = nm + "9"; }
for(i = 0; i < 276; i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%35%30%30%30%66"), nm);
You are advised to update Acrobat reader ASAP. The following policy file can help you mitigate the vulnerability in case you can't patch right away (kudos to ISC reader Elazar) .
Security Researcher Didier Steven analyzed the malicious pdfs and look at them through the eyes of the malware writers in Shoulder Surfing a Malicious PDF Author. A must read.
CLASS USER
CATEGORY "Adobe Acrobat/Reader 6.x - 8.x"
POLICY "JavaScript Reader 8.x"
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
POLICY "JavaScript Acrobat 8.x"
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
POLICY "JavaScript Reader 7.x"
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
POLICY "JavaScript Acrobat 7.x"
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
POLICY "JavaScript Reader 6.x"
KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
POLICY "JavaScript Acrobat 6.x"
KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
Besides the tool mentioned in Didier's article, I spotted another one in the following post from Arbor Networks (PDF Exploit - In the wild, and how to decode).
The ISS blog also has a video demonstrating how an actual exploitation works by opening a proof of concept malicious pdf. Just to give you a visual example of how the exploit works.I had a look at the malicious PDF file using the techniques in this description of using pdftk to analyze malicious PDF files. The pdftk toolkit is very handy, and well worth the investment in learning (free software). What you do is the following:
- Extract the interesting bits using pdftk:
$ pdftk input.pdf output output.pdf uncompressThis will make the JS visible in the output file.
- Cut and paste the JS specific region into a file and then analyze it with spidermonkey.
- Analyze the decoded exploit, it’s not unescaped
Related posts:
- Acrobat reader and flash security updates. A look behind the scenes. (UPDATED)
- Microsoft fixes SMB authentication relay attack with MS08-068 (updated)
- New worms exploiting MS08-067
- MS08-067 a few days later. A summary of resources.(updated)
- Adobe ships patch for clickjacking and clipboard hijack threats
Bonus 2: An example of a pdf malware campaign with sites pretending to be Federal Reserve Sites (Trendmicro blog)
(Photo under creative commons from xq311z's photostream)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment