Exploit-PDF.a

This page shows details and results of our analysis on the malware Exploit-PDF.a

Overview

Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.

More information regarding this vulnerability can be found at the Adobe site:

 


Minimum Engine

5600.1067

File Length

Varies

Description Added

2006-03-29

Description Modified

2013-02-26

Malware Proliferation

Characteristics

---------------------------Updated on 26 Feb 2013-------------------------------------

Aliases

Microsoft    -    Exploit:SWF/CVE-2011-0611.P
Trend        -    TROJ_PIDIEF.VEV

“Exploit-PDF” is the detection for the fake Mandiant report. Once the pdf is opened it drops an executable and creates a new process under the name "AdobeArm.tmp" which was as detected as Backdoor-FAMA. It may appear as an attachment to a spammed email message as an attached file named “mandiant_apt[version]_report.pdf”

“Exploit-PDF” is the detection for specially crafted PDF files that attempt to exploit software vulnerabilities in Adobe Acrobat, Adobe Flash and Adobe Reader. The PDF document requests the user to enter the password if the user enters the password successfully it drop files under %temp% location.

Trojan checks the installed component versions such as Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allows remote attackers to execute arbitrary code via a crafted PDF document.

Some of the vulnerabilities that various “Exploit-PDF” samples have been known to exploit are:

CVE-2013-0641
CVE-2011-2462 

Upon execution the PDF document requests the user to enter the password if the user enters the password successfully it drop files in the following location and open the Mandiant report:

  • %Temp%\AdobeArm.tmp [Detected as Backdoor-FAMA]
  • %Temp%\Mandiant_APT2_Report.pdf
  • %Temp%\winbha.dat
  • %AppData%\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6
  • %AppData%\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
  • %AppData%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
  • %AppData%\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6
  • %AppData%\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
  • %AppData%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
  • %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
  • %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat

The Trojan tries to execute the dropped file and later it tries to connect the following sites in order to receive commands from the remote attacker that to access the infect machine: 

  • itsec.e[Removed]p.net
  • 0.0.[Removed].0
  • 24.131.[Removed].63
  • 190.48.[Removed].199

The following are the registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\CtlGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum

The following are the registry key value has been added to the system:

HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run\Load: "%Temp%\AdobeArm.tmp"

The above mentioned registry key value ensures that the Trojan registers with the compromised system and execute itself upon system boot.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\CtlGuid\
    • Guid: "GUID"
    • BitNames: " LogFlagInfo LogFlagWarning LogFlagError LogFlagFunction LogFlagRefCount LogFlagSerialize LogFlagDownload LogFlagTask LogFlagLock LogFlagService LogFlagDataBytes LogFlagTransferDetails"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\
    • LogSessionName: "stdout"
    • Active: 0x00000001
    • ControlFlags: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup\BITS_metadata: '%AllUsersProfile%\Application Data\Microsoft\Network\Downloader\*'
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Control\
    • *NewlyCreated*: 0x00000000
    • ActiveService: "BITS"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\
    • Service: "BITS"
    • Legacy: 0x00000001
    • ConfigFlags: 0x00000000
    • Class: "LegacyDriver"
    • ClassGUID: "{GUID}"
    • DeviceDesc: "Background Intelligent Transfer Service"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\
    • 0: "Root\LEGACY_BITS\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001
The above registry confirms the Trojan confirms the “BITS” service in order to send and receive files.

The following are the registry key values have been modified to the system
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start: 0x00000002

The above registry confirms the Trojan tries to send and receives files through “BITS” service and set the BITS service start type as automatic.

--------------------------------------------------------------------------------------------------

Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.

More information regarding this vulnerability can be found at the Adobe site:

A user receives an email with a malicious PDF file attached and is requested to open the attachment contained in the message body. A copy of the spammed message is as follows:

Note: The from address is usually spoofed when sending such infectious email messages

Symptoms

---------------------------Updated on 26 Feb 2013-------------------------------

Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files or scripts.

--------------------------------------------------------------------------------------------

The following list of malicious attachment have been observed in the wild:

  • BILL.PDF
  • INVOICE.PDF
  • STATEMET.PDF
  • YOUR_BILL.PDF

Method of Infection

---------------------------Updated on 26 Feb 2013-------------------------------

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

--------------------------------------------------------------------------------------------

On opening the PDF attachment, code is silently run to perform the following actions.

  • Windows built-in firewall is disabled via the netsh command.
  • Downloads and executes a password stealer from http://81.95.146.[Removed]/ldr.exe
  • This password stealer trojan is detected as Spy-Agent.bg

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Exploit-PDF