I guess the Title would say what this post will contain. This post explains how an Exploit code embedded in PDF uses a Vulnerability and installs a Zeus Trojan in a victims machine and what banks the Trojan targets to steal user credential.
In the above Diagram, the user is either Social Engineered or visits malicious website and happen to view a malicious PDF doc which contains the exploit code. Based on the version of Adobe Reader used by the user, this Trojan exploits a known Vulnerability, then downloads and installs a Zeus Trojan from the remote server. Thereby a user becomes a Victim for such attack.
Let us see what does the Exploit code contain. For that I used File Insight tool to view the contents inside the PDF.
Now we will decode this Script to find the Exploit code. Here I am going to use one of my favourite tool Malzilla.
Before that let us understand how Malzilla will treat this code to decode the script. Lets see the code snippet,
var a = ”;
var b = ‘<Encoded Code>’;
var c = ’3148569207′;
for (var i = 0; i < 3498; i++)
for (var j = 0; j < 10; j++)
a += b.charAt((parseInt(c.charAt(j)) * 3498) + i);
In this code, eval(unescape(a)) is responsible to execute and decode the above encoded code. So Malzilla finds this function and executes the script.
As you see in the above screen shot, the decoded script is again another script which has to be converted in the Ascii form. Let us again use Malzilla to get the proper Exploit code.
Here we get the actual Exploit code which targets Adobe PDF Reader. This code uses 3 Vulnerabilities in Adobe Reader to execute the hacker’s Arbitrary code.
- util.printf Vulnerability if Adobe Reader is greater than version 8
- collectEmailInfo Vulnerability if Adobe Reader is lesser than version 8
- getIcon Vulnerability if Adobe Reader is lesser than version 9.1
Using util.printf Vulnerability the expoits code does Heap spray. collectEmailInfo and getIcon Vulnerability is exploited using stack based buffer overflow and executes the Arbitrary code.
LETS WATCH THE MOVIE IN OLLY:
Though we listen to thousands of stories, nothing is as equal as we watch in live actions. I’ll show you the Exploit code what it actually does in the Stack, to overflow and execute the hackers code.
As I used Adobe Reader lesser than 8 for testing, this exploit code used collectEmailInfo Vulnerability to attack my machine.
After Traversing through a long loop we can find the decoded script in the Dump which is ready to get executed.
The script then calls collectEmailInfo function to perform buffer overflow. In the below screen shot we can see collectEmailInfo function pushed to the Stack for execution.
Here comes the Overflow part, where 0x0C0C0C0C address which contains ‘nop’ (90) instruction is overwritten to the stack. The nop instruction just occupies the memory and does nothing. So when the code is executed, the nop instruction helps occupying the buffer to trick and execute the shell code.
The overflow is made by overwriting the stack with the address 0C0C0C0C from the address 0012C528 to the end of the stack address 0012FFFC. Since the return address of the function now is overwritten, the EIP now will point to the shell code and executes the code.
As you see in the below screen shot after overflowing the buffer, the control is passed on to the hackers code which is downloaded from the remote server and then gets executed.
The downloaded binary was a Zeus Trojan which again downloaded a config file from the remote server which was in the encrypted form. I performed the same Decryption routine as I did in my previous post. The decrypted file contained the Financial Institutions targeted by this Trojan such as,
This post proves how important updates are. Let us keep our Applications up to date instead becoming an Victim. So its time for us to turn on the Automatic Updates on every application we use.
Trackback from your site.