Content

Exploit-PDF.b

Type
Trojan
SubType
Exploit
Discovery Date
02/10/2008
Length
Varies
Minimum DAT
5227 (02/11/2008)
Updated DAT
6548 (12/02/2011)
Minimum Engine
5.4.00
Description Added
02/10/2008
Description Modified
01/19/2011 2:02 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-----------Update Jan 19,2011----------------

File Information

    • MD5 - DAC9DC2CBC5046AC7C16F125D2E77F82
    • SHA - 06A1A0C3002C21DBD3FA4A6D6BC13BFBF209F730

Aliases

    • Kaspersky - Exploit.JS.Pdfka.ddo
    • Avast - JS:Pdfka-gen
    • Sophos - Troj/PDFJs-PQ

Exploit-PDF.b is a detection for a specially crafted PDF file which exploits a PDF vulnerability. For this vulnerability the CVE-2009-0927 has been assigned

The PDF document contains heavily encrypted java script which has a malicious shellcode. when the user opens the malicious pdf with a vulnerable adobe version, the shellcode associated with the java script will be executed to download the malicious files from the remote site.

The shellcode is designed in such a way that it downloads a malicious file from the remote site "http://[removed]/geed/geed.exe"

-----------Update July 7,2010----------------

File Information

    • MD5 - a7722eb8541ef1396e192c22d818f77d
    • SHA - ac2fc89ef4a2f591bfa1fec17c31d12688e4a363

Aliases

    • Symantec - Trojan.Pidief.J
    • Kaspersky - Exploit.SWF.CVE-2010-1297.a
    • Ikarus - Exploit.SWF.CVE-2010-1297

Exploit-PDF.b is a detection for a specially crafted PDF file which exploits a PDF vulnerability.

For this vulnerability the CVE : "CVE-2010-1297" has been assigned.

The PDF document contains heavily encrypted java script along with the malicious flash object. Once the user opens this PDF document with a vulnerable Adobe version, the shellcode associated with the java script will be executed to download malicious files when the flash object runs.

This vulnerability might cause the following impact on the user’s machine.

Remote code Execution or Denial of Service (Memory Corruption).

More information on this vulnerability at:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297

http://www.adobe.com/support/security/advisories/apsa10-01.html

-- Update June 24, 2008 --
A new malware was discoved to exploit the vulnerability in Adobe Reader 8.1.1 and some other versions  (CVE-2007-5659) .

The more information on this vulnerability at:

http://www.adobe.com/support/security/bulletins/apsb08-15.html

When successful, the malicious PDF files drop the following files:

%WinDir%\system32\0004cfd7.001(file name can be random)
%WinDir%\system32\auoouv.dll (file name can be random. identified as BackDoor-CKB trojan)

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It hooks system startup by adding the following registry keys(service name can be random), for instance:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\Parameters\ServiceDll: "%SystemRoot%\System32\auoouv.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\ImagePath: "%WinDir%\System32\svchost.exe -k jfphca"

The dropped malware attempts to connect with a remote server:

  • fsky.8800.org

-----------Update January 18,2011----------------

When successful, the malicious PDF files drop the following files:

%WinDir%\system32\12.exe(file name can be random. identified as Generic Backdoor.u trojan)

Upon the execution of 12.exe, It's adds a lnk – Microsoft Windows Update.lnk and connects to 64.207.0.24 and it has handle to csrss.exe lsass.exe and svchost.exe

It may monitor key strokes and other system use on the compromised machine.

-- Update February 11, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061938&intsrc=news_ts_head

--

These maliciously crafted PDF files exploits a buffer overflow vulnerability in Adobe Reader which is recently patched in version 8.1.2.

More information on the patch from the vendor at:

When successful, some variants may download further malware from the following domain(s):

  • 85.17.221.xx

Symptoms

  • Unexpected network connections from the Adobe Reader
  • In some cases, Adobe Reader crashes or terminates abnormally.

 

Method of Infection

These maliciously crafted PDF files exploits a buffer overflow vulnerability in Adobe Reader 8.1.1 or older.

 

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

 -- Update April 07, 2009 --

The risk assessment of this threat has been updated due to media attention at:
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=224201577

--

-- Update November 11, 2008 --

A recent variant was discovered disguised as a PDF document using the filenames data.pdf and info.pdf.  When successful, it executes a malicious JavaScript that exploits a patched Adobe Reader vulnerability.

-- Update August 7, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2223416/malware-writers-juice-olympics

-- Update August 6, 2008 --

A recent variant was discovered to be disguised as a PDF document coming from the International Olympic Committee (IOC). This variant was proactively detected as Exploit-PDF.b since the 5317 DATs (June 13th, 2008).

The victim is lured to open a malicious file attachment with the following filename:

  • ioc_guidelines_for_persons_accredited_at_the_xxix_olympiad.pdf.

When successful, it executes a malicious JavaScript that exploits a patched Adobe Reader vulnereability.

It follows to install a backdoor detected as BackDoor-DMG.

-- Update February 11, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061938&intsrc=news_ts_head

--

This detection covers maliciously crafted PDF files which attempts to exploit a buffer overflow vulnerability in Adobe Reader which is recently patched in version 8.1.2.

 

Aliases

  • EXPL_PIDIEF.O (TrendMicro)
  • Trojan.Pidief.C (Symantec)

Characteristics

Characteristics -

-----------Update Jan 19,2011----------------

File Information

    • MD5 - DAC9DC2CBC5046AC7C16F125D2E77F82
    • SHA - 06A1A0C3002C21DBD3FA4A6D6BC13BFBF209F730

Aliases

    • Kaspersky - Exploit.JS.Pdfka.ddo
    • Avast - JS:Pdfka-gen
    • Sophos - Troj/PDFJs-PQ

Exploit-PDF.b is a detection for a specially crafted PDF file which exploits a PDF vulnerability. For this vulnerability the CVE-2009-0927 has been assigned

The PDF document contains heavily encrypted java script which has a malicious shellcode. when the user opens the malicious pdf with a vulnerable adobe version, the shellcode associated with the java script will be executed to download the malicious files from the remote site.

The shellcode is designed in such a way that it downloads a malicious file from the remote site "http://[removed]/geed/geed.exe"

-----------Update July 7,2010----------------

File Information

    • MD5 - a7722eb8541ef1396e192c22d818f77d
    • SHA - ac2fc89ef4a2f591bfa1fec17c31d12688e4a363

Aliases

    • Symantec - Trojan.Pidief.J
    • Kaspersky - Exploit.SWF.CVE-2010-1297.a
    • Ikarus - Exploit.SWF.CVE-2010-1297

Exploit-PDF.b is a detection for a specially crafted PDF file which exploits a PDF vulnerability.

For this vulnerability the CVE : "CVE-2010-1297" has been assigned.

The PDF document contains heavily encrypted java script along with the malicious flash object. Once the user opens this PDF document with a vulnerable Adobe version, the shellcode associated with the java script will be executed to download malicious files when the flash object runs.

This vulnerability might cause the following impact on the user’s machine.

Remote code Execution or Denial of Service (Memory Corruption).

More information on this vulnerability at:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297

http://www.adobe.com/support/security/advisories/apsa10-01.html

-- Update June 24, 2008 --
A new malware was discoved to exploit the vulnerability in Adobe Reader 8.1.1 and some other versions  (CVE-2007-5659) .

The more information on this vulnerability at:

http://www.adobe.com/support/security/bulletins/apsb08-15.html

When successful, the malicious PDF files drop the following files:

%WinDir%\system32\0004cfd7.001(file name can be random)
%WinDir%\system32\auoouv.dll (file name can be random. identified as BackDoor-CKB trojan)

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It hooks system startup by adding the following registry keys(service name can be random), for instance:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\Parameters\ServiceDll: "%SystemRoot%\System32\auoouv.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jfphca\ImagePath: "%WinDir%\System32\svchost.exe -k jfphca"

The dropped malware attempts to connect with a remote server:

  • fsky.8800.org

-----------Update January 18,2011----------------

When successful, the malicious PDF files drop the following files:

%WinDir%\system32\12.exe(file name can be random. identified as Generic Backdoor.u trojan)

Upon the execution of 12.exe, It's adds a lnk – Microsoft Windows Update.lnk and connects to 64.207.0.24 and it has handle to csrss.exe lsass.exe and svchost.exe

It may monitor key strokes and other system use on the compromised machine.

-- Update February 11, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061938&intsrc=news_ts_head

--

These maliciously crafted PDF files exploits a buffer overflow vulnerability in Adobe Reader which is recently patched in version 8.1.2.

More information on the patch from the vendor at:

When successful, some variants may download further malware from the following domain(s):

  • 85.17.221.xx

Symptoms

Symptoms -

  • Unexpected network connections from the Adobe Reader
  • In some cases, Adobe Reader crashes or terminates abnormally.

 

Method of Infection

Method of Infection -

These maliciously crafted PDF files exploits a buffer overflow vulnerability in Adobe Reader 8.1.1 or older.

 

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A