|From: PDF@Exploit| |To: Zeus@Trojan| |Subject: Steals Bank Credentials|
INTRODUCTION:
I guess the Title would say what this post will contain. This post explains how an Exploit code embedded in PDF uses a Vulnerability and installs a Zeus Trojan in a victims machine and what banks the Trojan targets to steal user credential.
THE FLOW:
In the above Diagram, the user is either Social Engineered or visits malicious website and happen to view a malicious PDF doc which contains the exploit code. Based on the version of Adobe Reader used by the user, this Trojan exploits a known Vulnerability, then downloads and installs a Zeus Trojan from the remote server. Thereby a user becomes a Victim for such attack.
EXPLOIT CODE:
Let us see what does the Exploit code contain. For that I used File Insight tool to view the contents inside the PDF.
Do you see the encoded JavaScript embedded inside the PDF ?
Now we will decode this Script to find the Exploit code. Here I am going to use one of my favourite tool Malzilla.
Before that let us understand how Malzilla will treat this code to decode the script. Lets see the code snippet,
var a = ”;
var b = ‘<Encoded Code>’;
var c = ’3148569207′;
for (var i = 0; i < 3498; i++)
for (var j = 0; j < 10; j++)
a += b.charAt((parseInt(c.charAt(j)) * 3498) + i);
eval(unescape(a));
In this code, eval(unescape(a)) is responsible to execute and decode the above encoded code. So Malzilla finds this function and executes the script.
As you see in the above screen shot, the decoded script is again another script which has to be converted in the Ascii form. Let us again use Malzilla to get the proper Exploit code.
Here we get the actual Exploit code which targets Adobe PDF Reader. This code uses 3 Vulnerabilities in Adobe Reader to execute the hacker’s Arbitrary code.
- util.printf Vulnerability if Adobe Reader is greater than version 8
- collectEmailInfo Vulnerability if Adobe Reader is lesser than version 8
- getIcon Vulnerability if Adobe Reader is lesser than version 9.1
Using util.printf Vulnerability the expoits code does Heap spray. collectEmailInfo and getIcon Vulnerability is exploited using stack based buffer overflow and executes the Arbitrary code.
LETS WATCH THE MOVIE IN OLLY:
Though we listen to thousands of stories, nothing is as equal as we watch in live actions. I’ll show you the Exploit code what it actually does in the Stack, to overflow and execute the hackers code.
As I used Adobe Reader lesser than 8 for testing, this exploit code used collectEmailInfo Vulnerability to attack my machine.
I loaded Adobe Reader in Olly Debugger and opened the Malicious PDF file to see how the Stack overflow happens. It is obvious that the JavaScript embedded in PDF has to be executed in the memory to decode and run the Exploit code. So I went to the module EScript.api which is responsible to execute JavaScript in PDF files. In the below screen shot you can see the encoded JavaScript is moved to EAX register and kept ready by EScript.api module to decode the script.
After Traversing through a long loop we can find the decoded script in the Dump which is ready to get executed.
The script then calls collectEmailInfo function to perform buffer overflow. In the below screen shot we can see collectEmailInfo function pushed to the Stack for execution.
Here comes the Overflow part, where 0x0C0C0C0C address which contains ‘nop’ (90) instruction is overwritten to the stack. The nop instruction just occupies the memory and does nothing. So when the code is executed, the nop instruction helps occupying the buffer to trick and execute the shell code.
The overflow is made by overwriting the stack with the address 0C0C0C0C from the address 0012C528 to the end of the stack address 0012FFFC. Since the return address of the function now is overwritten, the EIP now will point to the shell code and executes the code.
As you see in the below screen shot after overflowing the buffer, the control is passed on to the hackers code which is downloaded from the remote server and then gets executed.
The downloaded binary was a Zeus Trojan which again downloaded a config file from the remote server which was in the encrypted form. I performed the same Decryption routine as I did in my previous post. The decrypted file contained the Financial Institutions targeted by this Trojan such as,
- http://us.hsbc.com
- https://treas-mgt.frostbank.com
- https://rbs.com
- https://www.jpmorgan.com
- https://bnycash.bankofny.com
- https://itreasury.regions.com
- http://www.alerusfinancial.com
- https://ecash.dacotahbank.com
CONCLUSION:
This post proves how important updates are. Let us keep our Applications up to date instead becoming an Victim. So its time for us to turn on the Automatic Updates on every application we use.
Trackback from your site.
Comments (21)
karthik
| #
Yet another good tut :)
keep ‘em more coming….
Reply
Shiv - Threat Research Analyst
| #
Thank you Karthik. I’ll definitely do more.
Reply
Paco
| #
Very good report, Please keep writing !!
Reply
Shiv - Threat Research Analyst
| #
Thank you Paco
Reply
sanjay.d.bhalerao
| #
quit interesting .
Reply
Shiv - Threat Research Analyst
| #
Thank you Sanjay
Reply
Can You Trust That File? « Aggressive Virus Defense
| #
[...] |From: PDF@Exploit| |To: Zeus@Trojan| |Subject: Steals Bank Credentials| walks through how a maliciously crafted PDF installs malware. Illustrates File Insight, Malzilla, and Olly Debugger. Possibly related posts: (automatically generated)A Simple MeasureSimple Malware Discovery MeasuresThe Anti-Virus GuyVirus Scanners for Virus Authors [...]
Reply
thehorse13
| #
Where do you find the “file insight” tool you mention above?
Reply
Shiv - Threat Research Analyst
| #
You can get that from Mcafee Avert Labs,
http://download.nai.com/products/mcafee-avert/fileinsight.zip
Reply
Kicker
| #
No estб seguro de que esto es verdad:), pero gracias a un cargo.
Kicker
Reply
Ruben Arias
| #
Translation of this post:
I am not sure that this is true, but thanks anyway.
Kicker
End of translation
I strongly disagree.
This threat is REAL. Dear Kicker my advice to you is reading more about security issues that has been spreading and growing a lot during the last years.
regards
Ruben Arias
Reply
Mainak Biswas
| #
hey,
good posting…
from where i can get the file Insight Tool?
Reply
Shiv - Threat Research Analyst
| #
Thanks for the feedback.
You can get FileInsight from Mcafee Avert Labs,
http://download.nai.com/products/mcafee-avert/fileinsight.zip
Reply
Ruben Arias
| #
Dear Shiv,
Everything (as usual!) is fantastic and well presented.
You are inspiring me to launch my own blog too!
One suggestion to enhance even more the site.
Can you advise people about how to avoid this or other threats ?
(In example: for this threat I suppose that is enough dis-activating Java on Adobe)
Hope you understand my point. Tell me if you need clarifying. Regards
Ruben
Reply
Shiv - Threat Research Analyst
| #
Thank you so much for the suggestion Ruben. Yes I understand what u r trying to tell me. I guess I have to concentrate on MITIGATION’S (as u said like disabling JavaScript on Adobe) for such attacks in my forthcoming posts. Sure I’ll do that.
Reply
Quendi
| #
Thx a lot for your posts.
They are big lessons for me
Reply
Shiv - Threat Research Analyst
| #
Thanks for the feedback Quendi.
Reply
varadharajan
| #
Hi Shiv!
I have done all the things according to tutorial. i opened Adobe reader in olly and then i opened the malicious PDF, however i am not sure how to reach EScript.API through olly.
Thanks in Advance!
Reply
Shiv - Threat Research Analyst
| #
I am extremely sorry for late reply. To reach Escript.api I’ll tell you an easy way. Load adobe.exe in olly and press F9. Now press ‘E’ to goto the modules, find Escript.api and place breakpoint on all the calls. Now load a malicious pdf file using adobe.exe which is already loaded in Olly. Code breaks when Escript.api finds the javascript file as you have set the break point. This will help you to reach Escript.api.
Reply
jake
| #
Hey great post. I was wondering how they know that adobe has a js function called util.printf, getAnnots or collectEmailInfo() just from disassembling the Escript.api as I did that and couldnt find any functions with these names. etc.. I have searched through the Escript.api in ida pro and looked at all the functions and through all the folders and dlls and cant find any trace as to know that those are the functions names or where they are? also cant find any javascript files that ship with the installation. anyone know this step? thanks
Reply
Shiv - Threat Research Analyst
| #
Hi Jake,
Thanks for the feedback. By the way Escript.api which I have mentioned in the post is to view the decrypted Javascript code. Escript.api is the module responsible for handling the javascript file in Adobe. The functions getAnnots and collectEmailInfo are not under Escript.api. Those functions are in Annots.api. To view those functions load adobe32.exe in olly and press F9. Goto modules by clicking ‘E’, find Annots.api module, right click on that and dump the file. Now you can find these functions by loading it in IDA or even in Bintext. Please let me know if you need any assistance.
Regards,
Shiv
Reply