Posted on behalf of Tony Millington, Malware Operations Engineer, Symantec Hosted Services
On Friday 3rd December at 12:41 Skeptic stopped a new virus that we had not seen before, a targeted attack against a government body using WikiLeaks as social engineering to get the user to open the document.
File Details:
Name: WikiLeaks.pdf
Md5sum: 8be9d8ad72d2ac5a0e0eb59292bd41a9
Commercial Scanner Detection: 9/43
The email had been sent from a compromised account and, as is often the case, the social engineering didn’t have a lot of thought behind it. Because the above sentence within the email doesn’t make much sense, the recipient is led to believe the pdf attachment may lead to more information.
However, the attachment has an encrypted executable embedded in it and heavily obfuscated javascript designed to decode, drop and run the exe.
The exploit is using a very common technique in Adobe PDF, checking what version of Adobe Acrobat Reader is being used. This can be good for running different exploits depending on which version of the reader is used. Not all versions are vulnerable to all exploits as Adobe patches its code to secure the software. Hackers can get around this by using standard legitimate functions to run different malicious code depending on what version the pdf was opened. In this case anything above version 9.6 just crashes Adobe Reader.
It drops the executable spoolsv.exe into C:\Documents and Settings\<USERNAME>\Local Settings\Temp
File Details:
Name: spoolsv.exe
Md5sum: a549eec6e9f533c4e8b07e5ec2efcdf2
Commercial Scanner Detection: 25/43
The virus detection for the dropped executable is a lot more widespread than the pdf itself. In theory, this seems like a good thing, but the pdf might get through to the user especially if the virus disables any anti-virus software.
The malicious executable injects itself into Internet Explorer, users will have no visual warning of this, and the process is run without displaying the window for Internet Explorer. However, on the analysis machine Internet Explorer 8 is installed but has never run, so the first time it runs it displays the “Welcome to Internet Explorer 8” splash screen. This still pops up when the virus runs Internet Explorer, obviously this is unlikely to happen on the targeted user’s computer, however, Process Explorer clearly shows iexplore.exe running.
The malicious executable sends encrypted data over a non-encrypted port (port 80), a port that most companies have open so their users can browse the web.
Once this has run, it tries to open another pdf. This is a common technique when exploiting any documents. It works by using an exploited document to drop a malicious exe and a clean document. The original malicious document will cause the document viewer to crash or just shut down. Once the virus runs, it will open the clean document, which will often contain information related to the social engineering in the email. This is to make it look like the machine hasn’t been infected and that in fact the user has just opened a clean document. Adobe will then close, initially saying “Document is corrupt.” This is the exploited document dropping malicious files. Adobe will then close and reopen the clean document. In this case, the clean pdf doesn’t seem to be dropped anywhere, giving an error saying the file cannot be found when the virus tries to open it.
Skeptic stopped 24 copies of this targeted attack. Another targeted attack using the same techniques in malicious pdfs was seen on the same day of which MessageLabs Intelligence saw 63 copies. These are techniques that have been used for a while and yet the commercial scanners still miss new copies. Skeptic stops it because of its patented heuristics engine. The best course of action is to install the latest version of Adobe Acrobat Reader to stay safe.