In association with heise online

The repertoire

Somehow I don't feel comfortable relying on my anti-virus software to have detected and blocked all this malware. Then again I don't really fancy wiping the whole system on the basis of a hunch. And my travel expenses are still staring up at me accusingly. So I set off in pursuit of the actual exploit the PDF file has attempted to use on me.

Further down in the JavaScript, I discover it accessing app.viewerVersion.toString(). Oy vey – it looks like the code has a whole repertoire of exploits which it can bring to bear depending on the Adobe Reader version detected. The first looks familiar – I recall a buffer overflow in Collab.collectEmailInfo. A quick web search digs up a posting on Security Focus from early 2008; it's been fixed since version 8.1.2 – I'm in luck. But this PDF has something in reserve. On newer version of Reader it tries out other exploits, which are even secured by a try/catch block.

var vkQkwqXx = app;

This exploits a bug in Collab.getIcon. The SecurityFocus database claims that this was fixed in Adobe Reader 9.1 in March 2009. Spring 2009 – I must have updated since then. The author doesn't waste any resources on this PDF trojan – he limits his exploits cleanly to vulnerable versions:

if((waNWb0AX4 >= 8.102 && waNWb0AX4 < 8.104) ||
(waNWb0AX4 >= 9 && waNWb0AX4 < 9.1) ||
waNWb0AX4 <= 7.101)

The third of the bunch, an exploit for a buffer overflow in util.printf. It only affects Reader versions 8.102 and 7.1. That appears to be the lot. So the effort has been worth it – I can save myself a re-installation, my computer must be clean. And in the last line I find out why Reader waited a few seconds before crashing. The bastard has installed a time fuse:

app.setTimeOut("app.jTSCccXdL()", 10);

The jTSCccXdL() function, which contains the logic for the exploit, is triggered after ten seconds.

But then, why did Reader crash if it's not vulnerable to the exploit? Putting to one side the fact that the program shouldn't crash if the buffer overflow is caught cleanly, I've seen with my own eyes that the exploit should only be triggered on older, vulnerable versions. Hold your horses, I think I'd better take another look. Balls! It's there in black and white, Reader says "Version 9.0". How could that happen? My computer is almost certainly infected. I can't be arsed to go hunting around after whatever update.exe & Co. have deposited on my system. It's time to revert back to yesterday's image. Ah well, at least that leaves me half an hour before I have to tackle those damn travel expenses. (ju)

About CSI:Internet

In our "Crime Scene Internet" series, experts examine suspicious files using every trick in the book. Watch over their shoulders as they track down real malware – because all this really could have happened.

As in the first episode, our analyst this time was Thorsten Holz from Germany's Honeypot project. In his day job he's an assistant professor at Ruhr University, specialising in malware analysis. The next episode will focus on the case of the suspicious Flash file. Episode one was Alarm at the pizza service. and episode 2, The image of death .

Next: A commented exploit listing

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit