Malicious PDF Example

Discussion in 'malware problems & news' started by CloneRanger, Mar 2, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    This is a POC !

    Not sure how many people would get caught out with this ? Maybe not you ;) but regular Jo's might !

    em.gif

    em1.gif

    Deny =

    em2gif.gif

    Permit =

    em3.gif

    If you want the Demo PDF link you can PM me for it ;)
     
    Last edited: Mar 2, 2011
  2. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    thanks @CloneRanger for sharing this
    but adobe reader 10 cant stop this kind of exploits !!!!
    i believe xencare can block any kind of this attack just like appgurad
    btw.. pmed u :)

    PS : aha u r using foxit ...i heard it's vulnerable and seems like u r using old version ...sorry if this out of subject ..i am just wondering
     
    Last edited: Mar 2, 2011
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s interesting! :)
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    On any Windows OS, the very first blocking HIPS rule I make is to block access to cmd.exe or command.com. This one, more than any other, is the system component to which access must be restricted. I'd be interested to see if this demo is any different from an older POC that I have. Could you PM me the link? Thanks.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ SUPERIOR

    You're right i was, thanks ;)

    @ aigle & noone_particular

    Done ;)

    *

    Upgraded to the latest version and launched the POC, clicking NO to this prompt

    1.gif

    Launched the POC again

    2.gif

    Also saw This is a secure PDF. as before

    Enabled SRM and launched the POC again

    3.gif

    This time Script Defender jumped in, wonder why it didn't before ?

    4.gif

    Executing or Aborting showed This is a secure PDF. as before, but i noticed nothing else ?

    ProcessGuard alerted me several times as before with the .cmd alert :thumb:

    Couldn't see anything with Autoruns/ProcessExplorer ? As i'm in Shadow Defender mode, rebooting would flush anything that "might be there. If someone could try it in VM or with imaging :thumb:
     
  6. wat0114

    wat0114 Guest

    Interesting POC (thanks again CloneRanger!) but strange that in my case it is looking for cmd.exe in my user's appdata folder?? PDFXchange warns about it. Three shots posted, including the details...

    *EDIT* maybe it's because the user's appdata directory is a candidate target to write to in a standard account?
     

    Attached Files:

  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Have you tested the PoC against Adobe Reader 10?

    -edit-

    Wouldn't disabling the option in Preferences - Trust Manager - PDF File Attachments - "Allow opening of non-PDF file attachments with external applications" stop this?
     
    Last edited: Mar 2, 2011
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  9. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    very strange is it related to windows or program itself o_O
    i dont think it's about standard account ...correct me if i am wrong


    @CloneRanger
    tested it in VM ...nothing serious ....by parsing this file, it only run cmd with command

    @MrBrian
    i think so ...it's kinda an old exploit (like overflow exploit i believe) :doubt:

    @m00nbl00d
    adobe 10 tested ..and the execution was blocked


    enlabling or disabling this option will block "cmd" from running ...maybe because it's an old exploit
    try this on 0day exploits ;)
     
    Last edited: Mar 3, 2011
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Which is why I don't care for PoCs. :D In all cases, if upon a real exploit (0-day, for example), it would first need to get out of Adobe Reader 10 sandbox, then EMET, then Sandboxie, then a few other restrictions I've applied. If it succeeded , then I would retreat myself from computers. :( :D
     
  11. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    my avast blocks it from download. So, disabled and tested adobe reader 9.4.2

    its successfully blocked and an alert is fired up as shown in the attachment.
    PS. Not a single peep from comodo. Guess as adobe prevented it, no pop-ups from comodo...

    Thanks,
    Harsha.
     

    Attached Files:

  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ wat0114

    You're welcome ;) Good to see that PDFXchange warns about it :thumb:

    @ MrBrian

    Thanks :thumb: it is similar, but not the same. I believe the DS one didn't involve VBS either.

    @ SUPERIOR

    Thanks for testing it in VM :thumb:

    @ harsha_mic

    Yes Avira initially blocked for me too.

    :thumb:

    It says Blocked by SysAdmin which could mean several things i presume. If Adobe has an option to allow such things, as Foxit does, as shown in one of my screenies, you might allow it and see if Comodo bites ;)
     
Loading...
Thread Status:
Not open for further replies.