segunda-feira, 16 de agosto de 2010

SET (Social Engineer Toolkit) PDF’s x AntiVirus & Scoring System

Since Social Engineer Toolkit aka SET is being using in the wild I solved to create their pdf’s and tests against AntiVirus Vendors and against  new detection scoring based on Spiderlabs Research .


  [---]       The Social-Engineer Toolkit (SET)          [---]
  [---]        Written by David Kennedy (ReL1K)          [---]
  [---]                 Version: 0.6.1                   [---]
  [---]            Codename: 'Arnold Palmer'             [---]
  [---]     Report bugs to: davek@social-engineer.org    [---]
  [---]        Java Applet Written by: Thomas Werth      [---]
  [---]        Homepage: http://www.secmaniac.com        [---]
  [---]     Framework: http://www.social-engineer.org    [---]
  [---]       Over 1 million downloads and counting.     [---]

   Welcome to the Social-Engineer Toolkit (SET). Your one
    stop shop for all of your social-engineering needs..
   
             Follow me on Twitter: dave_rel1k

       DerbyCon 2011 Sep29-Oct02 - A new era begins...
                  http://www.derbycon.com


Select from the menu on what you would like to do:

1.  Spear-Phishing Attack Vectors
2.  Website Attack Vectors
3.  Infectious Media Generator
4.  Create a Payload and Listener
5.  Mass Mailer Attack
6.  Teensy USB HID Attack Vector
7   Update the Metasploit Framework
8.  Update the Social-Engineer Toolkit
9.  Help, Credits, and About
10. Exit the Social-Engineer Toolkit

Enter your choice: 1


1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu

Enter your choice: 1

1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow

7. Custom EXE to VBA (sent via RAR) (RAR required)
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

Enter the number you want (press enter for default):

1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)

Enter the payload you want (press enter for default):

* All payload 1 – Windows Reverse TCP Shell with port 2345


1. Adobe Flash Player 'newfunction' Invalid Pointer Use

http://www.virustotal.com/file-scan/report.html?id=377ba41782bbeb25c9816d76ec190fb6f4b88c7bbaecc26653a4a6ecc479f3ea-1281835639

File name:flashplayer-newfunction.pdf
Submission date: 2010-08-15 01:27:19 (UTC)
Result: 15/ 42 (35.7%)

$ pdf-analisys.pl -s1 -f flashplayer-newfunction.pdf

flashplayer-newfunction.pdf Malicious PDF Detected


2. Adobe Collab.collectEmailInfo Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=a4ac73a6efee530a05ea05eeeaa3d8efc137e4eb3bcf4d492c2b318264da2f77-1281836155

File name: collab-collectEmailInfo.pdf
Submission date: 2010-08-15 01:35:55 (UTC)
Result: 17/ 42 (40.5%)


$ pdf-analisys.pl -s1 -f collab-collectEmailInfo.pdf

collab-collectEmailInfo.pdf Malicious PDF Detected

3. Adobe Collab.getIcon Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=631893cd75bcf60ec82a3f59d3bd3f7f166874641a4ed62ceee28852889ec6e2-1281836494
File name: collab-getIcon.pdf
Submission date: 2010-08-15 01:41:34 (UTC)
Result: 15/ 42 (35.7%)

pdf-analisys.pl -s1 -f collab-getIcon.pdf

collab-getIcon.pdf Malicious PDF Detected


4. Adobe JBIG2Decode Memory Corruption Exploit

http://www.virustotal.com/file-scan/report.html?id=814f20d28de287e76dbfacb14d90dbfab8e0b1e11e16212b88ca3216f2189117-1281836756

File name: JBIG2Decode.pdf
Submission date: 2010-08-15 01:45:56 (UTC)
Result: 15/ 42 (35.7%)


$ pdf-analisys.pl -s1 -f JBIG2Decode.pdf

JBIG2Decode.pdf Malicious PDF Detected

5. Adobe PDF Embedded EXE Social Engineering

http://www.virustotal.com/file-scan/report.html?id=484ba7800fd549b82b6ac4dab5100f3017a0995cc47be13977703a168d1bcef3-1281837936
File name: embeddedfile.pdf
Submission date: 2010-08-15 02:05:36 (UTC)
Result: 15/ 41 (36.6%)

$ pdf-analisys.pl -s1 -f embeddedfile.pdf

embeddedfile.pdf Malicious PDF Detected

6. Adobe util.printf() Buffer Overflow

http://www.virustotal.com/file-scan/report.html?id=99e01802391f77c5c93cdf52cb2eacb5673e6acf7ac90776d477948a7fa1222d-1281838414

File name: utilprintf.pdf
Submission date: 2010-08-15 02:13:34 (UTC)
Result: 16/ 42 (38.1%)

$ pdf-analisys.pl -s1 -f utilprintf.pdf

utilprintf.pdf Malicious PDF Detected


8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun

http://www.virustotal.com/file-scan/report.html?id=0ce18c65373f113916b108508b3afc481e460f77353d1e3ddd259dbd29bab5a1-1281838713
File name: U3D.pdf
Submission date: 2010-08-15 02:18:33 (UTC)
Result: 11/ 42 (26.2%)

pdf-analisys.pl -s1 -f U3D.pdf

U3D.pdf Malicious PDF Detected


Clamav Results

collab-collectEmailInfo.pdf: OK
collab-getIcon.pdf: OK
embeddedfile.pdf: Exploit.PDF-22612 FOUND
flashplayer-newfunction.pdf: OK
JBIG2Decode.pdf: OK
U3D.pdf: OK
utilprintf.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 813894
Engine version: 0.96.1
Scanned files: 7
Infected files: 1

* Clamav just updated to new engine 0.96.2 that detected all 7 samples as malicious so UPDATE your engine ASAP .

Virus Total Results

Result: 15/ 42 (35.7%)
Result: 17/ 42 (40.5%)
Result: 15/ 42 (35.7%)
Result: 15/ 42 (35.7%)
Result: 15/ 41 (36.6%)
Result: 16/ 42 (38.1%)
Result: 11/ 42 (26.2%)

Average Detection: 14,85 / 42 or 35,37%


Top5* AntiVirus Results

* Top5 antivirus based on most common names not in detection rates

** Payloads listed bellow:
1. Adobe Flash Player 'newfunction' Invalid Pointer Use
2. Adobe Collab.collectEmailInfo Buffer Overflow
3. Adobe Collab.getIcon Buffer Overflow
4. Adobe JBIG2Decode Memory Corruption Exploit
5. Adobe PDF Embedded EXE Social Engineering
6. Adobe util.printf() Buffer Overflow
8. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun



Scoring System Results 

collab-collectEmailInfo.pdf Malicious PDF Detected
collab-getIcon.pdf Malicious PDF Detected
embeddedfile.pdf Malicious PDF Detected
flashplayer-newfunction.pdf Malicious PDF Detected
JBIG2Decode.pdf Malicious PDF Detected
U3D.pdf Malicious PDF Detected
utilprintf.pdf Malicious PDF Detected


We sent some papers to a couple of conferences to star to share those information . I’ll let you know if we get approve and where =) .

Let’s keep improving our research and sharing each time more and more information. In the future we’ll share all the information , scoring and parser .

Regards,

Rodrigo "Sp0oKeR" Montoro

3 comentários:

Fabio Assolini disse...

Só pra constar: todos os PDFs citados são detectados pelo Kaspersky. Alguns pela heurística, o que não é mostrado numa análise feita pelo VirusTotal.

Parabéns pelo blog

;)

Gustavo Monteiro disse...

Rodrigo,

Acabei de começar o meu blog com um post que também trata do SET. É uma ferramenta fantástica, de fato.

http://gustavomonteiro.com/

Elhoim disse...

It looks really cool!

I would be interested to test it.
Is it available somewhere?