On April 27, 2010, Bkis’ Honeypot system has discovered a new wave of attacks exploiting PDF /Launch vulnerability via spam emails.

As analyzed in previous entry (Will there be new viruses exploiting /Launch vulnerability in PDF?), Zeus only takes advantage of an exploit code with limited function available on Metasploit. However, the malware, this time, has exploited the true nature of /Launch vulnerability with a much more sophisticated method. Up to now, Adobe has not patched this vulnerability yet.

This malware has two main characteristics that help exploit /Launch vulnerability more effectively than Zeus when users open the malicious PDF:

1. It does not require tricking users to save the malware to disk-drive.

2. Acrobat Reader’s warning message is faked.

The malware taking advantage of /Launch vulnerability is more sophisticated than Zeus

So, we can see that what Zeus has not been able to do is now fulfilled by this new malware, taking advantage of the true nature of /Launch vulnerability.

If users choose to click Open, 3 files namely script.vbs, batscript.vbs and game.exe will be generated and executed. These files only exist around 3 seconds in the folder that contains doc.pdf and then disappear. File game.exe is the virus that infects victims’ computers. Before deleted, file game.exe has copied itself as svchost.exe into folder “%ProgramFiles%\Microsoft Common”.

Specifically, when Open button is clicked, /Launch is executed to generate file script.vbs

Exploit code that generates file script.vbs

Script.vbs then is executed, and the second file is generated as batscript.vbs following these steps:

+ Open file doc.pdf

+ Read the file and extract the comment marked with ‘SS and ‘EE

+ Remove the comment signs “%” and write into file batscript.vbs

script.vbs

- File batscript.vbs then:

+ Generates file game.exe by the binary byte array available in code

+ Runs file game.exe

+ Sleeps 3 seconds, then deletes the 3 files: script.vbs, batscript.vbs and game.exe

batscript.vbs

The whole infection process

Malware game.exe, after executed, copies itself as svchost.exe and saves to folder “Microsoft Common”. This malware can spread via USB, operate as a bot, receive commands from 3 C&C servers.

Malware connects to C&C Server

Technical details of the malware operations:

1. Copies itself as file svchost.exe into folder %ProgramFiles%\Microsoft Common\

2. Writes key

3. Injects malicious code into svchost.exe and explorer.exe process of system.

4. Copies itself as file system.exe along with file autorun.inf into USB drives to spread via USB

5. Receives commands from C&C servers:

hxxp://jad[removed]son.com/lde/ld.php?v=1&rs=13441600&n=1&uid=1

hxxp://1fo[removed]sa.com/lde/ld.php?v=1&rs=13441600&n=1&uid=1

hxxp://dol[removed]ss.com/lde/ld.php?v=1&rs=13441600&n=1&uid=1

Among 3 C&C servers, only the first one works. The other two might be used for backup purpose. The C&C Server’s domain names use Fast flux DNS, so their IP addresses are changing continuously.

According to our analysis, 2 over 3 domain names are newly created by the C&C Server on  April 26, the other one was created on April 21. These domain names are registered by a Russian name.

We will keep tracking and updating information of this malware.

Bkis

Recently, there was information about Zeus botnet exploiting /Launch vulnerability in PDF file design. The vulnerability was found by Didier Stevens, a Belgium security researcher, on March 29, 2010. However, I don’t think Zeus botnet has really used the flaw that Didier Stevens described.

Indeed, the virus was created from the exploit code named Adobe PDF Embedded EXE Social Engineering which was written by Colin Ames. He found the same flaw around August 2009. Initially, the exploit code was written for Metasploit Framework (MSF) and named Adobe Social Engineering Exploit. Then, Colin Ames used the flaw and the exploit module as part of his presentation at Black Hat USA 2009 conference. And then, the exploit code was renamed as “Adobe PDF Embedded EXE Social Engineering” and integrated into MSF toolkit since 14 April 2010.

Zeus botnet has used Colin Ames’ exploit code in MSF to generate a PDF named “Royal_Mail_Delivery_Invoice_1092817.pdf”. The PDF file, then, was spread via spam emails. When executed, the PDF will drop file Royal_Mail_Delivery_Notice.pdf, which indeed is an .exe file and is Zeus virus.

The exploited PDF drops Zeus virus.

Then, Adobe Reader pop-ups a warning message to ask if user allows the virus to run.

Adobe Reader warning message.

If the user chooses Open, the virus will be executed. With such a clear warning, I don’t think there will be many people opening it. That means when using this flaw, Zeus botnet’s ability to spread is small. Our honeypot system also detects very few Zbot infections using this flaw, fortunately.

In my opinion, Didier Stevens researched independently, and his discovery is not entirely identical with Colin Ames’. The bottom line in the flaw found by Didier Stevens is that he found out a way to create a fake warning message to trick users into selecting Open button. And that makes the nature of social engineering vulnerability.

I made a test to confirm that the flaw Didier Stevens said is possible to be exploited in the wild. We can change Adobe Reader warning message to trick users into selecting Open. I made a PoC clip of the fake warning message, you can watch it below.

Clip of the fake warning message to take advantage of PDF /Launch vulnerability.

So, Zeus botnet did not use the flaw found by Didier Stevens but by Colin Ames. In the next few days, if the patch for Adobe Reader is not quickly released, virus may take advantage of the flaw found by Didier Stevens. Many people would be tricked by the fake warning message. Then, many computers would be infected with the virus. Thus, users should raise awareness and pay attention to update the latest versions of application software as well as antivirus software on their computers.

Le Manh Tung
Senior Security Researcher

Recently, a data package to exploit Opera has been released on the Internet. If users open this data package (via a website) with Opera version 10.50 or earlier, the browser will be crashed.

Figure 1 – Data package released on the Internet.

When Opera browser receives a data package, it will use Content-length field to identify the length of html tag at the end of the package, then copy and display this tag. In Opera.dll module, the number in Content-Length field is stored in 64 bits- variable. Here, it will check if the 4 higher bytes (considered as a signed number) is negative or not. If it is not negative, the program will copy the html tag with its actual length, and no problem occurs. Otherwise, the program will use 4 lower bytes of that number (considered as an unsigned number) to copy the html tag to a 20000h buffer. Therefore, if we push to Content-length field a 64 bit- number with 4 higher bytes from 80000000h to FFFFFFFFh and 4 lower bytes which is big enough, for example FFFFFFFDh, the browser will be crashed. Look at the OnlyDebug in Figure 2, we can see the comparison. If DWORD PTR SS:[EBP-4] < 0, the program will run the code at Opera_1.676C8375 which carries the value FFFFFFFDh to EDI, then push it to ECX, causing a buffer to overflow.

Figure 2-The piece of code checks if the 4 higher bytes is negative or not.

Perform the complete Opera’s execution process under OllyDbg’s supervision. The vulnerability is found in Opera_1 module – actually, it is the module Opera.dll, causing array to overflow. Looking at the Figure 3, it can be seen that the program manages to copy a large amount of data – FFFFFFFDh byte from 6D74683C to 00000000 by REP MOVS operation. This will cause the program to crash.

Figure 3- The operation causes program to crash.

Solution:
This vulnerability is just found in Opera version 10.50 and earlier. In Opera 10.51, it has been fixed. So users can download Opera 10.51 at: http://www.opera.com/browser/

Analyst: Le Minh Tuan

April Fools’ Day is the day of fun jokes or hoaxes on friends, family members and others who would enjoy instead of getting angry. However, computer users would hardly find it fun when fooled by FakeAV.

As per our research, many keywords related to April Fools’ Day are BHSEO-ed and they would lead searchers to FakeAV. For example: “April Fools Day 2010″, “April Fools Day Recipes”, “April Fools Day History”,  “April Fools Day Origin”, “April Fools Jokes Pranks”,  “April Fools Day Pranks For School”, “April Fools Jokes For Kids”,  “April Fools Jokes For Teachers”,  “April Fools Jokes For Work”…

The number of April Fools’ Day keywords exploited  this time is particularly higher than other waves of BHSEO attacks, which shows hackers’ greater interest in this event.

Many searching results related to April Fool’s Day would lead to FakeAV

If clicking any malicious results, users will be redirected to FakeAV websites. A warning will appear, saying that “your computer is vulnerable to malware attacks” and then require virus scanning.

Fake virus warning

Then, you will see a fake virus scan process showing many virus infections on your computer

FakeAV scanning for viruses

The FakeAV website would constantly asks you to download a bogus update to fix the system’s vulnerability.

Fake update

And if you choose to download and install this patch, your computer will be infected with malware.

We recommend users to take caution while searching Internet for April Fools’ Day related stuffs as well as other information. Users should update the latest version of their AV softwares to protect themselves. We have updated these malware signatures into our Bkav antivirus software’s database, by the way.

Bkis Taskforce Team