Yuletide PDF gymnastics

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Yuletide PDF gymnastics

Postby Spudz » Wed Dec 09, 2009 8:31 am

Yuletide PDF gymnastics

Whilst browsing some reports yesterday, I noticed an unexpected detection at the top of the charts. Over the past few days, Troj/PDFJs-ER is neck and neck with Mal/Iframe-F as the most prevalent item of malware currently being detected on web sites.

A quick peek at the URLs for the PDFs reveals a whole host of new domains, just registered in the past few days. Curious, I grabbed a few samples and set about digging further into the attack…

The first thing to notice is the cunning manner in which the attackers have hidden the JavaScript within the PDF itself. We are used to the usual obfuscation tricks being used to obscure the nature of the script content, but in this case, the bulk of the malicious script is actually carried as a string, within the subject of a page annotation object!

To my mind this is very much akin to the anti-emulation tricks we have seen used in malicious web pages, where the guts of the JavaScript content is stored (obfuscated) as strings within HTML elements in the page. A short stub script is then responsible for extraction and deobfuscation of the data using GetElementById(). Leafing through the Adobe JavaScript API, I suspect there are several other obfuscations for hiding script content within other PDF objects.

Back to this PDF example, a short embedded JavaScript sets about retrieving and deobfuscating this string.


Continues at SophosLabs blog
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 1 guest