Posted on behalf of Greg Leah, Dan Bleaken, Seth Hardy, Jo Hurcombe & Tony Millington
Symantec Hosted Services analysts spotted a blocked targeted attack yesterday that uses the FIFA World Cup 2010 to encourage the recipient to open a malicious PDF attachment. It uses a very fresh vulnerability in Adobe Reader.
First some background on targeted attacks.
What is a targeted attack?
-
Probably the most damaging type of internet threat
-
Takes place via email
-
Designed to target a specific individual or organisation
-
Aim is to extract sensitive/valuable information
-
Used to gain competitive advantage, blackmail, harm reputation, gather intelligence/spy, steal secrets/designs/ideas, other information
How is it done?
-
First the attacker performs reconnaissance to discover potential victims.
-
Once identified the attacker collects relevant and personal information about the victim, to try and add legitimacy to the attack.
-
Finally the personalised email is sent. If the malicious payload is opened, the attacker gains control of their PC.
What are some of the common characteristics of a targeted attack?
In identifying whether or not malware is targeted, several factors are taken into account such as:
-
Generally a low volume of mails for each attack, to one or very few recipients. Typically Symantec Hosted Services block 500,000 malicious emails per day, of those <100 are targeted attacks.
-
Likely to be sent to high profile clients especially government/public sector (one third of all attacks are sent to Government/Public Sector)
-
Likely to have themes around political or newsworthy events
-
Attachment types likely to be doc or pdf
-
Suspicious features of the mail header
-
Likely to be from a webmail account (adds legitimacy)
-
Often attackers try to convey a sense of importance or urgency to open the attachment
-
Sent to high seniority recipients as they have access to the most valuable/sensitive information (60% of targeted users are of a medium or high seniority)
-
Can be sent to family members, personal webmail accounts etc, in an attempt to have the attack forwarded into the organisation, or to the target, of interest.
There are many, many more indicators, our experts are skilled at differentiating targeted attacks from other (bulk-mailed or spammed) malicious emails.
Some typical targeted attacks:
Now more on this specific targeted attack.
A technique commonly seen in targeted attacks is to use legitimate details in the mail but to urge recipients to open a malicious attachment. This sample is no exception. It uses the name of a legitimate African Safari organiser, Greenlife. The email was sent from a PC in Singapore.
Greenlife are helping football fans to organise their dream trip to South Africa this summer, by tailoring travel packages for supporters from all over the world. Greenlife have produced an extremely informative and useful PDF guide to the World Cup here
http://www.e-gnu.com/2010.html (on the right hand side).
The attacker(s) have downloaded Greenlife’s PDF document, and changed it to include malicious code. They then attempted to email the malicious PDF to a user in a major international organisation that brings together governments from all over the world. We should emphasise that downloading the PDF from the Greenlife website (
http://www.e-gnu.com/2010.html ) is perfectly safe at the time of writing this blog.
The attack makes use of a recently patched vulnerability in Adobe Reader – CVE-2010-0188. The patch for this critical rated vulnerability was released by Adobe on February 16, 2010. Since then we have observed a large number of targeted attacks attempting to exploit this vulnerability. Proof-of-Concept exploit code is available in the Internet which is contributing to the large number of observed attacks.
The exploit makes use of a flaw in the TIFF file parsing in Adobe Reader. In particular, a stack overflow is caused by inserting a TIFF image into the PDF with a specially crafted “DotRange” tag.
In order to make a perfectly legit PDF document, into a malicious one, the attackers have made a few modifications. First they removed a number of objects from the clean PDF to reduce the file size. They then inserted a malicious object at the beginning of the file containing the malicious TIFF. All of the shellcode is contained in the TIFF file.
The above image shows the inserted object containing the malicious TIFF file embedded in XML. Note that the TIFF is Base64 encoded.
If this user had received the email and opened the PDF attachment in a vulnerable version of Adobe Reader, the shellcode will extract and execute the embedded XOR encoded executables. Next the malware does a DNS lookup on some subdomain of microsoft.com (e.g. wwwco2vip.microsoft.com), and then it receives some information from that page, we don’t know what that is. The process could be to test that there is a valid internet connection, or it could be to test localisation (e.g. microsoft.com may redirect to microsoft.co.uk, and the malware knows the recipient is located in the UK, for example). Or, it could be to disable automatic updates from Microsoft.
Next, among many things, for each file (<filename>) in the c:\windows\system32, the malware creates a directory and 2 new files named c:\windows\system32\<filename>\notepad.exe.new, c:\windows\system32\<filename>\notepad.exe.
The malware drops 2 files: c:\windows\system32\drivers\pcidump.sys, and c:\program files\windows media player\mpvps.dll. ‘pcidump.sys’ displays rootkit functionality, and ‘mpvps.dll ‘ is registered as a service called "Remote Access Connection Locator".
It looks like the malware also attempts to contact other machines on the same network, probably to try and propagate the threat.
Using this, the attacker would have probably attempted to do one or more of:
-
Steal sensitive information
-
Perform some activity that causes damage to the organisation
-
Silently monitor the victim, siphoning off sensitive information
-
Use the victim’s credentials and social engineering to try and access individuals deeper within the organisation
-
Other?
As of the morning of 24MAR, precisely none of 41 other major security vendors detect this targeted attack. Symantec Hosted Services blocked it comfortably by identifying suspicious characteristics of the PDF.