Vulnerabilities

ZeuS se propaga a través de Facebook

ZeuS sigue en boca de todos, se descarga con falsos antivirus y downloaders, con diferentes exploit kits, y la red social por excelencia no podía ser una excepción. La semana pasada se vieron en Facebook mensajes como el siguiente:

La URL contenida en el mensaje llevaba a un sitio de phishing de Facebook donde se pedía la autenticación en el sistema, a la vez que se ejecutaba código Javascript ofuscado que creaba un iframe oculto en el cuerpo de la página:


La página a la que redirigía el iframe contenía a su vez otros dos iframes:

<iframe g1g="321" src="xd/pdf.pdf" l="56" height="31" width="13">
<iframe g1g="321" src="xd/sNode.php" l="56" height="31" width="13">

Analysis of malicious PDF files

As I mentioned before, one of the ways to hide information in a PDF file is trough the encoding/compression of streams, thanks to filters (/Filter parameter), being /FlateDecode the most used. The bad guys have been using it some time ago to hide obfuscated Javascript code with some vulnerable functions (Collab.collectEmailInfo, util.printf, getAnnots, getIcon, spell.customDictionaryOpen), or using heap-spraying to exploit another vulnerability not related with Javascript, like the /JBIG2Decode filter one.

To help in the analysis of these malicious files I've written a mini Python tool, using Spidermonkey to execute the found Javascript code and showing the shellcode to be launched. Automating the execution of obfuscated Javascript code is not a simple issue because there are many ways of doing it and everyday a new one arises, so I've tried to do an approximation to the problem, thanks to the malicious samples that I've seen. In the case the script won't be able to go till the end it's possible to specify the parameter -w to write to disk the Javascript code, helping to carry out a later manual analysis.

Actions in the Portable Document Format (PDF)

The PDF format is becoming more and more (in)famous due to the lately published vulnerabilities in Adobe products allowing the execution of arbitrary code in the system. Now I don't want to write about these malicious files but I'll do it in future posts.

After the brief comments about the objects we can find in a document of this type and its physic and logic structure I'm going to follow with the actions that can be executed in background. The PDF files aren't static documents but it's possible to specify some kind of programming depending on the user actions. This is where the security problem arises and that becomes a simple PDF in a potential malcode with high probabilities of being executed.

A PDF action is a dictionary object which can contain the following elements:

  • /Type: it's optional and it's used to specify the object type of the dictionary. In this case it's Action.
     
  • /S: it's an obligatory element that defines the type of the action we want to do.
     
  • /Next: it's optional too and specifies the next action or actions to be executed.

 

 

Distribuir contenido