'pdf 취약점'에 해당되는 글 2건

  1. 2009.12.22 Adobe 0-day 추가 악성코드 (3)
  2. 2009.10.23 Gumblar Reloaded
0x02 analysis2009. 12. 22. 13:01

Adobe 0-day 추가 악성코드 샘플을 구했습니다.
그리고 지난번 글에서 다운로드되지 않았던 ab.exe 파일도 확보를 했습니다.

E:\04.analysis\binary\20091216_adobe reader\malware> md5sum *.*
686738eb5bb8027c524303751117e8a9 *ab.exe
8950bbedf4a7f1d518e859f9800f9347 *crazyphoto.pdf
955bade419a9ba9e5650ccb3dda88844 *merry_christmas.pdf
61baabd6fc12e01ff73ceacc07c84f9a *note200911.pdf
61baabd6fc12e01ff73ceacc07c84f9a *note_20091210.pdf
35e8eeee2b94cbe87e3d3f843ec857f6 *outline of interview.pdf
0ab2fd3b6c385049f9eb4a559dbdc8a6 *海基會協商代表團預備性磋商名單.pdf

E:\04.analysis\binary\20091216_adobe reader\malware> ssdeep *.*
6144:53Gcbn2gnsuwtasAlbkdIiXb8K/hYcZVnHIbNwJBBp5:JbwtasAV+xffZ5X5,"E:\04.analysis\binary\20091216_adobe reader\malware\ab.exe"
768:bsg8fN3eX7k3GHsF90azVWqaYXCqntyhovHhv/MVsMepOF:bTYN3z3UscazpXM25EZepG,"E:\04.analysis\binary\20091216_adobe reader\malware\crazyphoto.pdf"
24576:hX+rECBhOc3cZUJe3xcxzV78/g4b3PlD4A8C0u2IcwrjefQM8rkAC:hOrHOcaye3x+V8Y4zH8C1XaoMIc,"E:\04.analysis\binary\20091216_adobe reader\malware\merry_christmas.pdf"
1536:p0AAH2KthGBjcdBj8VETeePxsT65ZZ3pdx/ves/aQR/875+:prahGV6Bj8VE9sT6BpfneilR/8k,"E:\04.analysis\binary\20091216_adobe reader\malware\note200911.pdf"
1536:p0AAH2KthGBjcdBj8VETeePxsT65ZZ3pdx/ves/aQR/875+:prahGV6Bj8VE9sT6BpfneilR/8k,"E:\04.analysis\binary\20091216_adobe reader\malware\note_20091210.pdf"
3072:prahGV6Bj8VE9sT6BpfneiL0jbupQ1S8ZTW5RxSDeF87OiE53a0WYtjdMJokl:pYBj8V7yaRSQTWX8Deu36SmxMJ3,"E:\04.analysis\binary\20091216_adobe reader\malware\outline of interview.pdf"
3072:k36u5/nLzdqJdVmK6pM8qffaRlOxpKs3i1AE:iLzdqJdMfphqfCRlOxpK2i1D,"E:\04.analysis\binary\20091216_adobe reader\malware\???????????????.pdf"

Virustal 검사 결과는 아래를 참조하시기 바랍니다.

note200911.pdf - 11월 30일

note_20091210.pdf - 12월 11일

ab.exe - note_20091210.pdf를 통해 다운로드하는 파일(foruminspace.com)

outline of interview.pdf - 12월 13일

merry_christmas.pdf - 12월 18일

crazyphoto.pdf - 12월 18일

海基會協商代表團預備性磋商名單.pdf - 12월 21일

국산 엔진들은 12월 18일 이후에 발견된 악성코드에 대해서 탐지를 못하고 있었습니다. 단, 21일 발견된 파일을 nProtect만 Exploit.PDF-JS.Gen.C02으로 탐지하고 있었습니다.

Posted by demantos

댓글을 달아 주세요

0x04 reference&tools2009. 10. 23. 10:42

[참고 블로그]
http://blog.ahnlab.com/asec/162 [추가]

Gumblar Reloaded


Posted by John Kuhn and Ryan McNulty with a little help from Holly Stewart on October 19, 2009 at 4:12 PM EDT.

Gumblar is back, and it has an upgraded arsenal of exploits to compromise your browser, Office, and Adobe® products.

Here in Managed Security Services, we’ve noticed a considerable elevation in our global hits on malicious PDF files.  More specifically, the signature used to detect the latest Adobe Reader Remote Code Execution has picked up most of the activity.  Here's a graph of the attacks we’re seeing:

The event count on Oct 19 ended at over a thousand events, five times the normal event count for this kind of malicious PDF and nearly doubling the kind of attack activity we've seen in the past.

Upon reviewing the data, it became very apparent that the sites hosting the malicious files were legitimate websites (privately owned and operated).  All of these websites have been compromised and are now indiscriminately serving the malicious payload to countless victims.

In the past, Gumblar has been known to use stolen FTP password credentials to compromise their victim’s websites.  We can only guess that these compromises were no different.  As website visitors get infected, they (unknowingly) are farmed for any FTP credentials, seemingly providing the Gumblar controllers with an endless supply of future websites they can compromise.

So what’s different this time around?  In previous versions of Gumblar, the malicious scripts and payload were hosted on a remote server.  Iframe code was injected into the compromised website, and it redirected visitors to their rogue server (gumblar.cn).  This time around, they are placing the malicious scripts and payload directly on the compromised host, which gives them a decentralized and redundant attack vector, spread across thousands of legitimate websites around the world.

The uploaded scripts are placed carefully to match existing file structures currently on the websites.  Heavy obfuscation is used in an attempt to evade some existing security measures.

Here's a snippet of the obfuscated malicious script:

Some of the attack vectors have also changed.  Today, we see the following exploits in play:

All of these attacks are very recent and effective at compromising the client side victim in an effort to propagate their malicious payload worldwide.  Coverage for the updated Trojan is still very low according to an analysis done through VirusTotal.

Your best means of protection is to use protections provided by your IPS/IDS device and to apply the latest patches for all of the affected applications, if you haven’t already done so.

Gumblar is a force to be reckoned with, and this latest push of theirs is a true testament to that fact.  As always, we’ll do our best to keep you informed of its changes and activities here.


Change History

Tue, Oct 20, 2009: Updated the chart to reflect the event count total at the end of Monday.


Reloaded 라는 단어를 보니 매트릭스가 생각나는군요...^^;;
오늘 저녁엔 매트릭스나 볼까....

Posted by demantos

댓글을 달아 주세요