terça-feira, 20 de julho de 2010

Not Malicious PDF - Which online tool should we trust ?


Since people trust this blog and what I write here I always try my best. Unfortunatly sometimes we make some mistakes. My last post was about 0/43 malicious PDF not being detect by any Antivirus , since the begin I was in doubt about if it was malicious or not so I tested against some webtools as you read at my last post http://spookerlabs.blogspot.com/2010/07/malicious-pdf-not-detected-by-any.html

When I got 0/43 and analyzing the PDF structure with Didier Stevens tools I can say that the score was 1 x 1 since VirusTotal considered normal and pdfid pointed to something not common .

One point that I listed in the other post was the JSunpack Detection that just trys to find the word getAnnots (since it's not common used) . Another point that I was looking and not feel confortable was about JoeDoc results that told the PDF was exploitable at 9.2 version and CVE-2009-1492 just affects until 9.1 version

From : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492

"The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. "

Based on that the real results about the tools and this analysis :

JSunpack - Failed

$ ./jsunpackn.py c0610pall_MPA_Kit.re.pdf -V

[suspicious:3] [PDF] c0610pall_MPA_Kit.re.pdf.maybe.vir
suspicious: getAnnots CVE-2009-1492 detected 

rule getAnnots: decodedPDF
impact = 3 //Since getAnnots may be legitimate
ref = "CVE-2009-1492"
hide = true
$cve20091492 = "getAnnots" nocase fullword
1 of them

www.vicheck.ca - Failed

Date: 2010-07-15 18:59:54
Web submission from


EXECUTABLE SCAN: Javascript obfuscation syncAnnotScan to hide blocks (pdfexploit/full)


Confidence ranking: 75 (2 hits).

External hash searches:

VIRUS SCAN VirusTotal: 0/42 not detected
REPORT http://www.virustotal.com/analisis/10e735332a0bfb899a0a8ec83cb15f78915bf0a1fdbd311226f26e7501c5d766-1279207142
VIRUS SCAN Threat Expert: New

PDF Structure - "Failed" but I can say that I analyzed lot of samples and this isn't a common file format for normal PDF

1 Page file
/Javascript e /JS options

Virustotal - OK - http://www.virustotal.com

JoeDoc - Failed - http://www.joedoc.org

Joedoc (Beta) has detected the the following results:

Runtime detections:

- Successful exploit on Acrobat 9.2
- Successful exploit on Acrobat 9.0

- Successful exploit on Acrobat 8.1.2
- No exploit on Acrobat 7.0.5

This sample is that kind of sample that have everything to be malicious but it's not. To make sure I installed a VM and opened this file (Adobe 8 version) and a new sample  that reported as the same that @2gg shared again that make feel confortable to say that it's a False Positive .

Sorry about that but I'll always try my best and I'll triple check next time since double check failed! Anyway in my opinion is better a False Positive with this uncommon file that you can handle that a False Negative with something much similar and malicious for real .

Keep reading since we will have lot of good stuff about our research in the future and for sure with few False Positives and Negatives as any malware detection tool .

Regards ,

Rodrigo Montoro (Sp0oKeR)

2 comentários:

vicheck disse...

Good point, we tweaked the detection at ViCheck.ca to show this type of case as "suspicious" for the unusual Javascript as there's no malicious payload, but similar javascript could be used to trick a user into running an embedded file.

Rodrigo "Sp0oKeR" Montoro disse...

Yeah! That's kind of FP that we don't need really to complain about =) . Anyway nice job in www.vicheck.ca . I really like your more in deep check .

Regards and thanks for reading!