The real danger with the /Launch escape from PDF proof of concept that Didier Stevens published is no longer a mystery to the malicious malware developers out there, as a recent sample I acquired doesn’t rely on JavaScript and embeds the executable as a PDF comment. Within this PDF comment is a simple vbscript that encodes the executable as an ANSI character code array which is latter extracted from the PDF file, converted to binary form, written to the user’s computer as “game.exe” and executed. How I found this was just by pure luck as I stumbled across this blog posting here: /Launch Malicious PDF. The blog posting goes into most of the details, so no use reiterating them here. One thing I would like to point out is that this is very different from the Zeus attempt at utilizing the /Launch action. Zeus appeared to have utilized the Metasploit PDF module which doesn’t really take full advantage of the /Launch action, so I don’t count that as the first real escape from PDF malicious usage.
UPDATE: I have published an analysis of this PDF file over on siemblog.com if your interested it taking a look at the inner workings of this attack: “Analysis of the First Real PDF /Launch Attack – No JavaScript Required!“
View full post on sudosecure.net
Related Posts
- Malware With Real Support – Now I’ve Seen It All
Is your rogue antimalware product not meeting your expectations? Perhaps you should contact support. Nicolas Brulez of Kaspersky recently blogged about how some of these gangs are offering te... - Malicious PDFs utilizing Launch Action Now Seen in the WILD!
We all knew it was coming, so I doubt anyone is going to be shocked to learn that SophosLabs is reporting they have now seen the first instance of a malicious PDF file utilizing the Launch action. Pa... - First malware discovered that targets Android
Researchers at Russian security company Kaspersky Lab say they've discovered the first malicious software program to target Google's Android mobile operating system.
View full post on Network World... - Zero-Day Flash/Acrobat Exploit Seen In The Wild
On Friday, Adobe released a security advisory announcing a zero-day exploit found in specific Adobe Flash Player versions. Tagged as critical, the vulnerability (CVE-2010-1297) causes the application... - /Launch malware
It is already known that the recent vulnerability (Ref. Lexsi 13190) in Adobe Acrobat/Reader when handling /Launch /Action is being exploited in the wild. Since yesterday, a new spam run exploiting t... - Rogues rule: fake AV is 15 percent of malware seen by Google
Google has released the results of a year-long study of 240 million web sites that said 15 percent of the malware detected was related to rogue security applications. The study was released at the Wor... - Troj/PDFEx-DF: SophosLabs sees malware exploiting /Launch
Last week, I talked about how to disable some functionality in Adobe Acrobat (see blog).
This morning, we released generic detection for something we call Sus/PDFJs-S. Sophos will generically detect P... - Osama bin Laden dead – so watch for the spams and scams
Google's top-trending Anglophone search term right now is, understandably, "osama bin laden dead". Google officially describes its hotness (you couldn't make this stuff up) as volcanic.The short versi... - Remove Antivirus Center (Uninstall Guide)
Antivirus Center is a rogue anti-spyware program from the same family as Internet Protection. This malware is installed onto your computer through the use of fake scanner pages and Trojans that preten... - Compromised ads leading to TDSS rootkit infections
As we all know, compromised sites play an important role in web distributed malware, acting as the conduit, guiding user traffic to further malicious content. Sometimes, the attackers get lucky, and s...
Posted on 03 May 2010. Tags: “Escape, /Launch, First, Malware, PDF”, Real, Seen, Wild
