Hit by 0Day Drive by Download - What to Do?

Well this has certainly given me real proof that Google Chrome will detect infected sites: as soon as I clicked on it I received an alert, advising to stay away from it. I also just tested it with IE8 and Firefox and nothing happened. I revisited the infected page with Chrome and again it gave me the same warning.

 

Thanks Ilya, in a way that's reassuring to know because .pdf was fully patched on the machine i used. It did spawn a new tab on the taskbar with a .pdf document for a split second and shut down.

That's "not" real reassuring to know in a way, there is no "This Site May Harm Your Computer" warning in the Google search results when Google obviously know about it.

I know Google can take up to 48 hours to push out changes with the regular search results, but i was hoping they done it faster for malware.

 

When someone calls that they have been infected, I send them to a local shop where the expertise is much greater than mine! I would never trust that I had completely disinfected a computer -- even if I thought I knew how!

From the standpoint of the payload -- downloading a malicious executable by remote code execution -- this is a pretty straight forward exploit. The difference is that the exploit code to load the PDF files is rather obfuscated. I wouldn't depend on prevention by detection of behavior or signature. Some times they work, other times....

I confess to not understanding how the browser keeps control over these things, which just reinforces my own rule that the browser should not be relied upon to prevent exploits. Theoretically, disabling javascript and plugins should prevent these exploits, and I've been among those that have stressed browser configurations. However, especially with more than one user on a machine, it's possible that some configuration gets changed, or who knows what else might go wrong. It's necessary to have something else more reliable in place.

In this case, if the PDF file loads and if the Reader is vulnerable, then the exploit succeeds. Here is one file in this exploit as seen by Wepawet. The code inside the file contains the URL to download the malware:

​

uzt.php calls for the malware executable, installb.exe, and is easily blocked from downloading by any White List protection:

​

installb.exe is identifed by a few AV as TrojanDropper:Win32/Preald.A

----
rich

 

I understood from your first post that the computer had become infected.

----
rich

 

As far as I'm concerned this alert is good enough, but I would never search the Internet without a virtualizer. This has been asked several times: Did you find the infection within Sandboxie?

 

Looks like the good old AE still doesn't like strangers!

 

This case proves that common sense doesn't work. That's why I never trust security. Don't trust anything, or rather trust as little as possible.

I always boot from a clean LiveCD when I want to send out financial information. Unless you did something wrong a LiveCD will never get infected. 100% guarantee.

The only site I go after booting is straight to the bank. There is absolutely no way a malware can drive by. 100% guarantee.

A hardware router, together with the software firewall, have been installed. All open ports have been closed to prevent any network/external attacks. 100% guarantee.

 

Report malicious software
http://www.google.com/safebrowsing/report_badware/

Is there any more place which can repost malware site?

I have a question. Does this exploit still work if I browse with Firefox / Opera?
I guess yes although I haven't tested it.

 

I don't have a great understanding of it either, but it got around the "PDF Downloader" plugin i had installed. I "thought" this may of offered some level of protection as it gives the user a prompt whenever a .pdf is launched but it appears it offers nothing when it comes to malware.

This is the plugin i mean:



This didn't popup, a new .pdf document spawned for a split second on the taskbar. It obviously hooked directly in to the viewer bypassing the plugin.

I really had no idea if it had or hadn't, Flash/Pdf were both fully patched and up to date. I locked down the machine the moment it happened, and the more hunted the more it appeared nothing was done.

I mentioned back in post #7, there was no Sandboxie or Malware Defender installed. This wasn't my regular system, it was a fairly vanilla Quad Core Vista laptop that rarely goes on the net and it had NIS09 and UAC enabled.

If this happened on my main machine, i wouldn't of even noticed because my browser sits in Sandboxie with Flash/Scripting disabled.

It was just bad luck and bad timing.

 

Thanks Ilya, they are slick. Explains why nothing was captured in DW sandbox.

 

Thanks 1boss1 for the clarifications.

Your 3rd party PDF plugin manager was probably bypassed since exploit code I've seen in the past calls for the browser plugin

Code:

[B]<script>[/B]

function pdfswf()

for(i = 0; i <= [B]navigator.plugins[/B].length; i++)
		{

if((name.indexOf("[B]Adobe Acrobat[/B]") != -1) || (name.indexOf("[B]Adobe PDF[/B]") != -1))

I have not looked at the current exploit code.

There seem to be at least 3 ways to prevent a browser plugin from being called:

1. uninstall it
   
   
2. disable in the browser plugin configuration
   
   
3. disable in the Reader Options

Sometimes this last one has been seen to change during an update.

And, of course, disabling scripting, as you point out, keeps the exploit from starting.

In Opera, two things have to be configured to make the exploit work:

1) telling Opera to use the Plugin with a PDF file

​

2) Enable plugins globally

​

If these two settings are not enabled, no exploit I've seen loads the PDF file into the browser.

I generally discourage people from using these plugins -- they are convenient, of course, in that you don't have to be prompted to save/open the file: it automatically loads into the browser window and opens. Like many features, however, this has the potential to be exploited.

Foxit joined the Plugin party last year with their version 3:

When PDF exploits surfaced en masse late last year, Foxit users assumed that their reader was immune. This proved not to be the case, as many malicious PDF files targeting Foxit appeared, including this one:

​

If the PDF file cannot open, then the malicious code, of course, cannot execute.

----
rich

 

Sorry, I must have missed it, and reading your signature I couldn't work it out.

 

hmm I can't seem to be able to get installb.exe from the site. Is the site now clean?

 

I've just checked, and Chrome doesn't alert anymore about the site being compromised (I can't tell if this is definite proof though).

 

Same here with Firefox. No warnings at all.

 

Would anyone clarify the following?

1. If I use default Firefox with PDF document set to "Always Ask":
a) am I safe if I browse the compromised site? I guess I'm safe.
b) what if when I open the malicious pdf in its own reader. Will I still get infected? I guess I will be infected.
2. If I use Firefox + noscript, it will stop the malicious code cold! Am I right?

 

1 (a) correct
(b) correct if you open it with adobe. another reader would be ok.
2 nope.
The "PDF exploit" does not need Javascript enabled to work ( which is what noscript disables ).
It worked because a bug was discovered in Adobe.

Noscript blocks a lot of exploit,s at the expense of some inconvenience.