segunda-feira, 19 de julho de 2010

Malicious PDF not detected by any antivirus signature (Updated/Incorrect)

Please read the new post explaining what this post was wrong

http://spookerlabs.blogspot.com/2010/07/not-malicious-pdf-which-online-tool.html

Regards,

Today I got something curious in my PDF analysis:


@2gg a friend from twitter sent me some samples and 3 of them I tried to run against VirusTotal to make sure my research isn't generating False Positives(FP). For my surprise I uploaded a file to there and I got the detection Results: 0/43 .


File name:
c0610pall_MPA_Kit.re.pdf
Submission date:
2010-07-15 15:42:59 (UTC)
Current status:

Result:
0/ 43 (0.0%)


Our Research result was:


/LABS/pdf-basics$ perl pdf-analisys.pl -f c0610pall_MPA_Kit.re.pdf


c0610pall_MPA_Kit.re.pdf Malicious PDF Detected


That means that my script was generating a FP but based on analysis using Didier Stevens tools I was thinking that Antivirus failed totally against this sample.


So I ran the PDF against jsunpack-n to have a third test and I got:


$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V

[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected

info: [decodingLevel=0] JavaScript in PDF 1298 bytes, with 1329 bytes headers
info: [decodingLevel=1] found JavaScript
info: file: saved /LABS/pdf-basics/samples/twitter2/c0610pall_MPA_Kit.re.pdf.maybe.vir to (./files/original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181)
file: decoding_438f8880e0e100142aae652071590ba9ea2c572a: 2627 bytes
file: original_4b088c4be0c7bfca3ccbad187f97215d5fb1b181: 1406792 bytes



Talking to Mila from http://contagiodump.blogspot.com she pointed me to jsunpack result online http://jsunpack.jeek.org/dec/go?report=763c8312212dc379e18facb9d96815af36eb79ba .


Another things that pointed me that it a malicious file and I needed to figured out how to comprove was based on pdfid output :


PDFiD 0.0.11 c0610pall_MPA_Kit.re.pdf
PDF Header: %PDF-1.7
obj 60
endobj 60
stream 21
endstream 22
xref 2
trailer 2
startxref 2
/Page 1
/Encrypt 0
/ObjStm 2
/JS 1 /JavaScript 2
/AA 0
/OpenAction 0
/AcroForm 0
/JBIG2Decode 0
/RichMedia 0
/URI 2
/EmbeddedFile 0
/EmbeddedFiles 1
/cmd 0
/Action 0
/Launch 0
/Colors > 2^24 0


Based on that I started to test more in deep to try to make sure about this 0/43 result isn't a false negative or my research was generating a false positive


Analyzing JSunpack detection code I found


rule getAnnots: decodedPDF
{
meta:
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
strings:
$cve20091492 = "getAnnots" nocase fullword
condition:
1 of them
}


That means that those alert didn't really mean that something is trying to exploit the flaw since getAnnots is a feature (not widely or common used) at PDF .


So @snowfl0w from http://contagiodump.blogspot.com pointed me to a very nice check website called https://www.vicheck.ca where I sent the sample and got the follow results:


=============================================


Thank you for your recent submission to vicheck.ca.


Date: 2010-07-15 18:59:54
Web submission from 187.105.222.250.


c0610pall_MPA_Kit.re.pdf:


EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)


REPORT: https://www.vicheck.ca/md5query.php?hash=e40b33d95cb79765664d76e26d694efb


Confidence ranking: 75 (2 hits).


External hash searches:
VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New


=============================================


As last test I sent it to joedoc.org and I got good results too


Joedoc (Beta) has detected the the following results:


Runtime detections:


- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0

- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5




Special thanks for @2gg and @snowfl0w


** About Virus Total it basically runs the sample against signatures and some AV protections have some behavior analysis among other tests that weren't realized against this sample.


Regards,


Rodrigo Montoro (Sp0oKeR)

Um comentário:

cw disse...

Increasingly heavy obfuscation techniques continue to render AV detection ineffective. Reminds me of a Java exploit class using a large number of dynamic string reassembly tricks to greatly decrease detection. I've found JSUnpack and JoeDoc to be very useful in this analysis, and may obtain the Zynamics PDF tool in the near future. Thanks, @curtw