On April 27, 2010, Bkis’ Honeypot system has discovered a new wave of attacks exploiting PDF /Launch vulnerability via spam emails.
As analyzed in previous entry (Will there be new viruses exploiting /Launch vulnerability in PDF?), Zeus only takes advantage of an exploit code with limited function available on Metasploit. However, the malware, this time, has exploited the true nature of /Launch vulnerability with a much more sophisticated method. Up to now, Adobe has not patched this vulnerability yet.
This malware has two main characteristics that help exploit /Launch vulnerability more effectively than Zeus when users open the malicious PDF:
1. It does not require tricking users to save the malware to disk-drive.
2. Acrobat Reader’s warning message is faked.
The malware taking advantage of /Launch vulnerability is more sophisticated than Zeus
So, we can see that what Zeus has not been able to do is now fulfilled by this new malware, taking advantage of the true nature of /Launch vulnerability.
If users choose to click Open, 3 files namely script.vbs, batscript.vbs and game.exe will be generated and executed. These files only exist around 3 seconds in the folder that contains doc.pdf and then disappear. File game.exe is the virus that infects victims’ computers. Before deleted, file game.exe has copied itself as svchost.exe into folder "%ProgramFiles%\Microsoft Common".
Specifically, when Open button is clicked, /Launch is executed to generate file script.vbs
Exploit code that generates file script.vbs
Script.vbs then is executed, and the second file is generated as batscript.vbs following these steps:
+ Open file doc.pdf
+ Read the file and extract the comment marked with 'SS and 'EE
+ Remove the comment signs "%" and write into file batscript.vbs
- File batscript.vbs then:
+ Generates file game.exe by the binary byte array available in code
+ Runs file game.exe
+ Sleeps 3 seconds, then deletes the 3 files: script.vbs, batscript.vbs and game.exe
The whole infection process
Malware game.exe, after executed, copies itself as svchost.exe and saves to folder "Microsoft Common". This malware can spread via USB, operate as a bot, receive commands from 3 C&C servers.
Malware connects to C&C Server
Technical details of the malware operations:
1. Copies itself as file svchost.exe into folder %ProgramFiles%\Microsoft Common\
2. Writes key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe] Debugger = "%ProgramFiles%\Microsoft Common\svchost.exe" to run virus at Windows startup
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\Listto bypass firewall
3. Injects malicious code into svchost.exe and explorer.exe process of system.
4. Copies itself as file system.exe along with file autorun.inf into USB drives to spread via USB
5. Receives commands from C&C servers:
Among 3 C&C servers, only the first one works. The other two might be used for backup purpose. The C&C Server’s domain names use Fast flux DNS, so their IP addresses are changing continuously.
According to our analysis, 2 over 3 domain names are newly created by the C&C Server on April 26, the other one was created on April 21. These domain names are registered by a Russian name.
We will keep tracking and updating information of this malware.