Recently, there was information about Zeus botnet exploiting /Launch vulnerability in PDF file design. The vulnerability was found by Didier Stevens, a Belgium security researcher, on March 29, 2010. However, I don’t think Zeus botnet has really used the flaw that Didier Stevens described.

Indeed, the virus was created from the exploit code named Adobe PDF Embedded EXE Social Engineering which was written by Colin Ames. He found the same flaw around August 2009. Initially, the exploit code was written for Metasploit Framework (MSF) and named Adobe Social Engineering Exploit. Then, Colin Ames used the flaw and the exploit module as part of his presentation at Black Hat USA 2009 conference. And then, the exploit code was renamed as “Adobe PDF Embedded EXE Social Engineering” and integrated into MSF toolkit since 14 April 2010.

Zeus botnet has used Colin Ames’ exploit code in MSF to generate a PDF named “Royal_Mail_Delivery_Invoice_1092817.pdf”. The PDF file, then, was spread via spam emails. When executed, the PDF will drop file Royal_Mail_Delivery_Notice.pdf, which indeed is an .exe file and is Zeus virus.

The exploited PDF drops Zeus virus.

Then, Adobe Reader pop-ups a warning message to ask if user allows the virus to run.

Adobe Reader warning message.

If the user chooses Open, the virus will be executed. With such a clear warning, I don’t think there will be many people opening it. That means when using this flaw, Zeus botnet’s ability to spread is small. Our honeypot system also detects very few Zbot infections using this flaw, fortunately.

In my opinion, Didier Stevens researched independently, and his discovery is not entirely identical with Colin Ames’. The bottom line in the flaw found by Didier Stevens is that he found out a way to create a fake warning message to trick users into selecting Open button. And that makes the nature of social engineering vulnerability.

I made a test to confirm that the flaw Didier Stevens said is possible to be exploited in the wild. We can change Adobe Reader warning message to trick users into selecting Open. I made a PoC clip of the fake warning message, you can watch it below.

Clip of the fake warning message to take advantage of PDF /Launch vulnerability.

So, Zeus botnet did not use the flaw found by Didier Stevens but by Colin Ames. In the next few days, if the patch for Adobe Reader is not quickly released, virus may take advantage of the flaw found by Didier Stevens. Many people would be tricked by the fake warning message. Then, many computers would be infected with the virus. Thus, users should raise awareness and pay attention to update the latest versions of application software as well as antivirus software on their computers.

Le Manh Tung
Senior Security Researcher

Trackback URI | Comments RSS