PDF Exploit Malware #2 :: Carrier

This time our pdf exploit malware has md5 1c60c948c901b7aa86b3e40a478948b2.
At this moment, virustotal.com reports this sample as “no result“… nice ;)

I named this one “Carrier” (name taken from the Starcraft series).
You will soon discover the reason of this choice.

In order to grab some information, please open it with a text editor.

We can notice only one big stream compressed with zlib. So select the blob and decompress with zlib. We logically split the given javascript code in three parts.

Part I.

We can see a function that removes a toy obfuscation, by simply replacing “!#” (and “\n” if you want) with the string “”.

So after replacing the above string, we have the plain javascript code of this block.

Part II.

At the end of the obfuscated block, we can see a small javascript code:

This is the brain of the whole code. It decides which exploit to use by the reader version number.

Part III.

Well now we jump back to the javascript code with the toy obfuscation (Part I).

After deobfuscating the code, we can easily walk into the javascript. We have four functions. Let’s see one by one.

F1: printd.

It exploits a vulnerability related to the util.printd() method.

F2: emailinfo.

It exploits a vulnerability related to the Collab.collectEmailInfo() method.

F3: util_printf.

It exploits a vulnerability related to the util.printf() method.

F4: geticon.

It exploits a vulnerability related to the Collab.getIcon() method.

Put all Together.

All of the exploits (related to known bugs) use the same shellcode that downloads a malware from the following website:

At this moment this website is online and it is possible to download the malware,
the md5 of the malware is: D37B3145882007E3D4DF2104C3A07948.

Conclusions.

Time to say some final words. This pdf exploit malware has only a toy obfuscation but it carries four exploits, for various versions of Adobe Reader. I will give you a recap picture of the “Carrier” as a last gift (click to enlarge)…

I hope you have enjoyed this new trip into the pdf bug-land.

See you soon ;)

Donato "ratsoul" Ferrante posted at 2009-12-23 Category: javascript, malware, reversing

4 Responses Leave a comment

  1. #1arebc @ 2009-12-23 04:08

    Great write up Ratsoul!

  2. #2Yaan @ 2009-12-23 05:45

    > At this moment, virustotal.com reports this sample as “no result“… nice

    This is because you did not try to scan PDF sample. Scan it at least once and you will see multiple vendors already detect it.

  3. ratsoul @ 2009-12-23 15:58

    Hi Yaan,
    I was referring to the Hash Search on virustotal, because I wanted a fast feedback about this sample, anyway thank you for your comment.

  4. #3extraexploit @ 2009-12-31 00:40

    Hi there, if you are interested I have posted other analysis about PDF vector attack. http://extraexploit.blogspot.com

Leave a Reply

(Ctrl + Enter)