Tuesday, April 27, 2010

/Launch Malicious PDF

Wow - I'm posting!! :)

Today I, and others around the Internet, received an email that stated:
Subject: setting for your mailbox are changed

SMTP and POP3 servers for YOUREMAILADDRHERE mailbox are
changed. Please carefully read the attached instructions
before updating settings.
The email had a PDF attached to it. Given the number of malicious PDFs that have been seen lately, this was likely a bad thing.

Examining the PDF with Didier Steven's pdfid.py showed that there was an OpenAction in the PDF, but no JavaScript. Interesting. Using pdf-parser.py, the object pointed to by the OpenAction was examined:


This shows that the /Launch vulnerability/feature of PDFs is being used to drop a VB script and execute it. What is interesting is the VB script (named script.vbs) parses the original PDF for another VBS to run! A quick look at the PDF finds the other VBS:



(The image above has had code removed for brevity.)

The new VBS (named batscript.vbs) contains an executable broken up into its hex bytes. The script will write each byte out to a file named game.exe and then will execute it. After executing, it sleeps for 3 seconds then covers its tracks by deleting game.exe, batscript.vbs and script.vbs.

game.exe, meanwhile, will copy itself to c:\program files\microsoft common\svchost.exe and set itself up to run in the registry whenever explorer.exe runs.

While I know the /Launch vulnerability has been exploited recently, this is the first I've seen on a mass-email scale (but isn't the first ever). I'm sure we'll be seeing more of these as time goes on.