Internet Security Systems - AlertCon(TM)

Don’t open that doc.pdf, it’s got pwnage inside!

Posted by Jon Larimer and John Kuhn on April 28, 2010 at 4:56 AM EDT.

Today in the MSS Security Operations Center we noticed a large surge of malicious traffic surrounding spam email.  Below is a sample of the email, it will appear to come from another (faked) user in your organization, and target your email address specifically in the body:


Attached is an Adobe Acrobat (PDF) file that targets windows users specifically with a recent security concern in reader that allows execution of code with the /Launch command.  In this malicious PDF, reader is told to launch the cmd.exe with the objective of creating scripts called script.vbs and batscript.vbs.

Once you open the PDF, reader puts up a stern warning, with the included attacker’s text, though they cleverly added whitespace to hide their script as shown.

 

Scrolling up, you’ll see the payload

 

Of course execution of the script requires user interaction, an end user is easily coaxed into opening the document and resulting payload.  Once clicked the script parses the PDF file to extract and execute the payload which is called game.exe

The script.vbs file contains an executable file (game.exe), encoded as a VBS array. It’s obfuscated, but not very – the values 077, 090 are the ASCII codes for M and Z, the first two bytes of a Windows executable file:

The script then writes the array to a file:

The next script (batscript.vbs) executes game.exe, then deletes game.exe and the two script files. Once this has happened, you are owned!

game.exe appears to be a variant of a worm known as Win32/Auraax or Win32/Emold.  It copies itself to “C:\Program Files\Microsoft Common\svchost.exe” and then uses the “HKLM\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe” registry key to install itself as a debugger for the “explorer.exe” process to start itself when a user logs in. It also attempts to drop a rootkit driver that replaces asyncmac.sys on the system. This piece of malware will also attempt to copy itself to each removable drive on the system with an auto-run infection technique to spread as a virus – it creates autorun.inf and system.exe on each device, then configures the autorun.inf to launch system.exe.


Recommendations:

We’ve seen a lot of PDFs circulating that use the Launch command to deliver malware. To disable this functionality in Adobe Reader, see Adobe's blog.  

Proventia detects this PDF with a variety of signatures:  PDF_Launch_Program, PDF_JavaScript_Exploit, JavaScript_WScript_Shell_Object, Script_Shell_Command, and HTTP_IExplorer_Command_Exec.


We also recommend that auto-run on USB devices is always disabled – see Microsoft Support for instructions on how to do this for your OS.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.