Sunday, March 8, 2009

Exploitation of vulnerabilities through PDFs

Exploit weaknesses in certain applications for mass use, is today one of the attack vectors for malware more employees, and in this sense I have already posted the exploitation of vulnerabilities through several SWF and JS.

In this case, the attacker's goal is to find computers with Adobe Acrobat and Adobe Reader vulnerable to a Buffer Overflow attack, described in CVE-2008-2992.

The point is a concrete example is the direction http://prororo7.net/sp/index . php, the access to malicious URL, doesn't display anything, but in the background, the exploit code that exploited the bug in case of finding it.

In this example, it downloads and runs an arbitrary remote file through malware f.pdf (MD5: 2de9de23f9db1e7b1e39d0481a372399) util.printf function using Java Script.

The malicious code is manifested as the load.exe (MD5: a6e317f29966fa9e2025f29c7d414c0a) and is downloaded from http://prororo7 .net/sp/l .php?b=4&s=p.

Unfortunately, the pdf file is constantly manipulated by those who propagate it to avoid detection by the antivirus software, and why I say "unfortunately", because the detection rate of malicious pdf that has so far is extremely low. As we can see in the report that returns VirusTotal, only five (5) AV companies a total of 39 preventable infections.

A similar situation occurs with the file doc.pdf (MD5: 5fa343ebca2dd5a35b38644b81fe0485) that is called from http://toureg-cwo .ch/fta/index.php and download the file 1.exe (MD5: 5c581054fbce67688d2666ac18c7f540) whose detection rate is even lower than the previous (4/39).

There are many web addresses being used in an active way to spread malware:

tozxiqud .cn/nuc/spl/pdf .pdf
teirkmm .net/nuc/spl/pdf .pdf
hayboxiw .cn/nuc/spl/pdf .pdf
www.ffseik .com/nuc/spl/pdf .pdf
www.kuplon .biz/smun/pdf .php?id=2435&vis=1
www.geodll .biz/ar/spl/pdf.pdf
setcontrol .biz/ar/spl/pdf .pdf
newprogress .tv/fo/spl/pdf .pdf
eddii .ru/traffic/sploit1/getfile .php?f=pdf
google-analytics.pbtgr .ru/pdf .php?id=48462
hardmoviesporno .com/rf/exp/update1 .pdf


As you see, the chances of being victims of such strategies of infection is high and consequently, it's extremely important to patch as soon as possible, those who use the applications of Adobe.

Related Information
Exploiting vulnerabilities through SWF - Spanish version
Exploitation of vulnerabilities through JS - Spanish version


# Jorge Mieres

No comments: