July 05, 2011

 

Hackers are becoming more sophisticated and are investing resources to evade anti-malware detection. As recent breaches have shown, hackers are already seeing the fruits of their labor. In these spear-phishing attacks, the hacker gained access by sending out files (whether PDF, Excel or Word docs) to company employees. All that was needed was a single individual to open that file – and the attacker penetrated the organization.

How do hackers hide their code in the file? A couple of months ago, we published a PDF Hack in Action which showed how the attackers embed their malicious code within a PDF file. But we left you wondering what that malicious code really does.

Tomer Bitton from our ADC provides that missing link. In this four-part analysis he shows how to pinpoint the existence of the malicious code (in hacker lingo – the shellcode), extract that shellcode, analyze its behavior, and finally, he presents the complete shellcode flow graph.

This analysis is extremely technical and complicated so a defribilator may come in useful.

  Defibrillator

Step 1: Finding the Hidden Shellcode Within a Malicious PDF

Using pdf-parser.py (Didier Stevens’s great tool) we can track down the structure of the malicious PDF.

First, let’s look for Javascripts:

Shell1

 Deobfuscating the objects:

  Shell2

  Next, we use the Malzilla tool for running the scripts:

  Shell3

 Great, let’s paste it to txt file:

  Shell4

What we see is a PDF that tries to exploit 3 vulnerabilities:

Shell5

CVE-2008-2992 by function util_printf()

CVE-2007-5659 by function collab_email()

CVE-2009-0927 by function collab_geticon()

 

#1:

  Shell6

 

#2:

  Shell7

 #3:

  Shell8

 

In the next entry we’ll extract that shellcode.

 

 


Authors:

Share:
Share on LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.