Didier Stevens

Monday 10 November 2008

Shoulder Surfing a Malicious PDF Author

Filed under: Forensics,Malware,PDF — Didier Stevens @ 21:32

Ever since I read about the incremental updates feature of the PDF file format, I’ve been patiently waiting for a malicious PDF document with incremental updates to come my way. Thanks to Bojan, that day has finally arrived.

The 2 malicious PDF documents I received (data.pdf and info.pdf) both exploit the same Acrobat JavaScript util.printf vulnerability.

data.pdf is very interesting to me: it’s one PDF file containing 5 incremental updates, essentially bringing us an archeological record of the malware author’s trial-and-error session. So let’s start uncovering what the malware writer has been up to.

Looking at the type of objects inside data.pdf (with my PDF parser), we can see many startxref and xref objects:

20081110-202238

The metadata of data.pdf reveals that the guy (from personal experience, I know that most bad programmers are males ;-) ) used Adobe Acrobat 8.1.0 to create this document in the early hours of Thursday November 6th 2008, and that his machine has timezone setting +01:00.

It took 52 minutes 32 seconds to create the first version of data.pdf. This version contains everything to execute a JavaScript script upon opening of the document, but the script to be executed is empty.

44 seconds later, a second version is created, containing this script:

20081110-185852

This script performs a heap spray (the most indented section of function main) of shellcode (contained in variable sccs) and then exploits the util.printf format string bug. This exploit is contained in function main, which should be triggered by app.setTimeOut after 3 seconds. However, the use of setTimeOut in this script is buggy (details can be found in Adobe’s JS API Reference), and main() will never execute.

After 44 seconds, another version is created to try to get this exploit to work. He modified the call to setTimeOut like this:

20081110-185933

This is completely wrong, so after 4 minutes and 12 seconds (probably spend Googling for an answer as to why this doesn’t work), he returns to the previous call, but now hopes that 5 seconds will do better than 3 seconds.

20081110-190004

Of course, it doesn’t. After one minute and a half, he gives up, and modifies the script to execute his exploit without delay:

20081110-190045

I can’t say he’s a sharp programmer or tenacious, but at least, he’s result-driven…

Let’s turn our attention to the second malicious PDF (info.pdf) I received. This file contains no incremental updates, but it’s still interesting because it has the same origin as data.pdf. This file was created at exactly the same time, and contains the same identification (/ID[<DD95D438BE408D4FB12AC2FE7ED5E6C6><14FA8F4917ED8449B59BF6CFA41C39BD>]) as data.pdf. Most PDF applications add a unique ID to the trailer of every PDF document they create. info.pdf was saved a day later (about 37 hours later), and contains the same exploit script as data.pdf, but with an extra layer of JavaScript obfuscation.

Bojan confirmed he was the first to submit these files to Virustotal. I calculated the MD5 hashes for the different versions of data.pdf, but none were submitted to VT, so our guy didn’t use VT for QA.

It was an interesting experience, “spying” on this malware author. Let’s hope they don’t stop using incremental updates, and that some of them will be careless enough to leave personal data hidden in their malicious PDF documents.

data.pdf MD5 1A8E5242F21727959683FA8CC7AA94AD

info.pdf MD5 23F31C83EE658BB5C2635BEFDE56199A

28 Comments »

  1. [...]  Shoulder Surfing a Malicious PDF Author (AN ABSOLUTE MUST READ) [...]

    Pingback by The Security Catalyst » (SCC) Catalyst Community Update for November 12, 2008 — Tuesday 11 November 2008 @ 15:58

  2. Good job !

    Comment by Dan — Tuesday 11 November 2008 @ 22:08

  3. [...] bash ever! Ask HN: How Much Can I Scrape? Ultimate Snowboarding Cool Scenes from Antarctica (PICS) shoulder-surfing-a-malicious-pdf-author 60 Minutes Catches American Tech Trash Firm Red-Handed A.I.G tries to hide their stay at a Luxury [...]

    Pingback by [root@EGA]# » Blog Archive » links - 20081111 — Wednesday 12 November 2008 @ 5:33

  4. [...] I meant to point out this post of Didier’s yesterday. Very neat walk-through of the maturation of an exploit. Shoulder Surfing a Malicious PDF Author << Didier Stevens [...]

    Pingback by Interesting Information Security Bits for 11/12/2008 at Infosec Ramblings — Wednesday 12 November 2008 @ 22:22

  5. Ask google about the list of IP which did submit a request containing setTimeOut during the above mentionned 4 minutes and 12 secondes ?

    Comment by ask google — Thursday 13 November 2008 @ 12:37

  6. Yes, I believe there’s a chance Google has this answer, but I also know they won’t give it to me.

    Comment by Didier Stevens — Thursday 13 November 2008 @ 12:40

  7. Nice post… and very interesting blog. I’ve been reading you in the last months.
    Bruce Schneier just linked here in his blog, http://www.schneier.com/blog/archives/2008/11/watching_a_malw.html , so if you can’t access your blog in the next hours it’s not a DDoS, you have just been Schneier-Slashdotted :)

    Comment by D0R — Thursday 13 November 2008 @ 14:25

  8. maybe he submitted copies to virustotal in a slightly different form – e.g. zipped or with a few extra random bytes

    Comment by Greg — Thursday 13 November 2008 @ 15:51

  9. [...] Stevens blogjában arról ír, hogy hogyan követte nyomon egy malware készítő munkálkodását a PDF fájlok inkrementális [...]

    Pingback by BuheraBlog - Meglesni a rosszfiút — Thursday 13 November 2008 @ 17:04

  10. [...] in legatura cu aceasta vulnerabilitate un articol interesant: Shoulder Surfing a Malicious PDF Author Tags: [...]

    Pingback by Vulnerabilitate in Adobe Reader 8 exploatata — Sunday 16 November 2008 @ 1:42

  11. [...] If you’re interested on the pdf exploit (also see below in other news), Didier Steven’s Blog, talks about Shoulder Surfing a Malicious PDF Author. [...]

    Pingback by Info Sec News: Nov 18, 2008 « InfoSec Philippines — Tuesday 18 November 2008 @ 7:27

  12. [...] quieres ver paso a paso como se hace, pincha aqui Tags: adobe reader, codigo maligno, como se hace, [...]

    Pingback by Así escribe código un intruso | rhypee — Tuesday 18 November 2008 @ 8:51

  13. so interesting…

    Comment by exactlimon — Tuesday 18 November 2008 @ 23:11

  14. Me gustaria saber si el Foxit Reader también es vulnerable a este tipo de ataque?

    Comment by Jose Abanto — Wednesday 19 November 2008 @ 14:25

  15. Wow!!!!!!

    its very interesting. ok, i will be change my PDF reader :)

    Comment by angelblade — Wednesday 19 November 2008 @ 14:43

  16. @Jose

    Yes, Foxit Reader has a similar util.printf vulnerability, but a different exploit must be used.

    http://www.coresecurity.com/content/adobe-reader-buffer-overflow

    Comment by Didier Stevens — Wednesday 19 November 2008 @ 20:57

  17. @Jose

    Yes, Foxit Reader has a similar util.printf vulnerability, but a different exploit must be used.

    http://www.coresecurity.com/content/adobe-reader-buffer-overflow

    Comment by Didier Stevens — Wednesday 19 November 2008 @ 20:59

  18. This is a very important blog…

    I like it..

    I from Colombia

    Comment by Steven — Thursday 20 November 2008 @ 19:08

  19. Didler,
    I experienced a similar experience after reading your blog on this subject.

    http://www.packetninjas.net/?p=124

    -Daniel

    Comment by Daniel Clemens — Friday 21 November 2008 @ 1:50

  20. [...] Shoulder Surfing a Malicious PDF Author Ever since I read about the incremental updates feature of the PDF file format, I’ve been patiently waiting for a [...] [...]

    Pingback by Top Posts « WordPress.com — Saturday 22 November 2008 @ 0:15

  21. [...] El código y el análisis de Stevens está publicado en este sitio. [...]

    Pingback by .::SRT::. » Blog Archive » Así escribe código un intruso. — Tuesday 25 November 2008 @ 0:13

  22. [...] Lets see ,How malware authour works ?? DO you know how malware author works?? A excellent piece of stuff Lets see ,How malware author works ?? Understanding malware author by – Didier Stevens Please click below links for more details about malware author Shoulder Surfing a Malicious PDF Author Didier Stevens [...]

    Pingback by Lets see ,How malware authour works ?? - 419 Legal - Internet Fraud and Online Scam Forum — Tuesday 25 November 2008 @ 6:47

  23. [...] blog.didierstevens.com/2008/11/10/shoulder-surfing-a-malicious-pdf-author/ [...]

    Pingback by SEGUN LOS EXPERTOS EL ACROBAT READER ES UN PROGRMA QUE SE DEBE TRATAR DE EVITAR : Uruguay Escribe — Wednesday 26 November 2008 @ 3:02

  24. [...] El código y el análisis de Stevens está publicado en este sitio. [...]

    Pingback by Codigo Maligno en Documentos PDF.. « GamingOne NetwOrks — Friday 28 November 2008 @ 22:27

  25. Got here through Window’s Secrets newsletter, great job of walking us through this. The blackhats never stop do they? Nice to have good guys on their smelly trail! :^)

    Comment by gene jacobson — Thursday 4 December 2008 @ 18:15

  26. [...]  Shoulder Surfing a Malicious PDF Author (AN ABSOLUTE MUST READ) [...]

    Pingback by (SCC) Catalyst Community Update for November 12, 2008 : The Security Catalyst — Sunday 5 April 2009 @ 23:59

  27. [...] [upmod] [downmod] Shoulder Surfing a Malicious PDF Author « Didier Stevens (blog.didierstevens.com) 2 points posted 6 months ago by jeethu tags pdf exploit javascript [...]

    Pingback by Tagz | "Shoulder Surfing a Malicious PDF Author « Didier Stevens" | Comments — Saturday 16 May 2009 @ 17:10

  28. [...] information on the author and using metadata to investigate a pdf document I found the article “Shoulder Surfing a Malicious PDF Author” by Didier Stevens to be an outstanding example of what can be learned from this data.  Didier [...]

    Pingback by sudosecure.net » Blog Archive » Analyzing PDF files and Shellcode — Sunday 4 April 2010 @ 4:27


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 231 other followers

%d bloggers like this: