dR.fAn0 Posted October 25, 2012 Share Posted October 25, 2012 This is the hidden content, please Sign In or Sign Up People aware of the security / insecurity computer knows that a PDF can contain malware and open it with a vulnerable version of the reader, the user's machine may be infected. In fact it is one of the most prevalent forms of malware distribution. But although for years there was talk of other ways to achieve the same goal without opening the file, many people still not being aware. Already in 2009 Didier Stevens showed in his blog several ways, namely three, to infect a machine without having to open a PDF. There is also even fourth way is not necessary or interaction by the user. In the examples shown is using Shell Extensions to infect the user's machine, so the first thing is to understand what they are. It is a software added to Windows Explorer, so that it incorporates new functionality by integrating third-party software. An example would be the ability to analyze a file / directory with an AV using the context menu, or perform a compression Winzip / Winrar / etc. But not only is added in the context menu, but it can also involve extra tabs that are displayed when viewing the properties of a file, preview thumbnails, etc.. As I mentioned earlier, Didier Stevens in 2009 as a platform using a Windows XP SP2 fully patched and running an Adobe Reader 9 showed these routes of infection. Reader version 9 implementaba DEP, ASLR and midlevel MIC. But in version X, as security measures uses a sandbox to mitigate future vulnerabilities, and Adobe Reader has been redesigned to run with a low MIC. Currently with Adobe Reader X the Shell Extensions (thumbnails, properties, preview) run within the sandbox and not installed iFilter. Here they explain. NOTE: Windows 7 64-bit I had trouble using the Shell Extensions. The point is that the Shell Extension pdfshell.dll located in C: \ Program Files (x86) \ Common Files \ Adobe \ Acrobat \ ActiveX is 32-bit and therefore is not loaded by 64-bit Windows Explorer. As in Windows 7 64 bit and can not launch a 32-bit browser C: \ Windows \ SysWOW64, a way to use the 32-bit extensions on Windows 64-bit is by Half Shell. But it looks like it does not work properly due to the changes made by Microsoft in Windows 7. Now that we know what they are the Shells Extensions, it's time to look at ways to exploit vulnerabilities in a PDF reader without opening the file. Adobe Reader installed extra software to read PDF files on Windows components. Keep in mind that these forms of infection are relatively old, three years ago, but they serve as a foundation for not always open a file is the only way to infect. Therefore an infection by any of these methods or similar software would be possible if no mitigation current to other levels: 1) Column Handler Shell Extension: is a COM object that provides additional data to Windows Explorer on a particular file type. Windows Explorer shows this data in extra columns. For a PDF these would be the title, author, etc.. When Windows Explorer has to display a PDF, invokes the Column Handler to read PDF data and pass them to him. So clicking on a malicious file would execute the shellcode included therein being infected machine. If we remove the Shell Extensions related PDFs, we can do it by Nirsoft Shell Extension Manager or Sysinternals Autoruns utility 2) When you use Windows Explorer Thumbnail view shows the first page of the PDF format mini-image. This involves reading the PDF therefore can also take advantage of a vulnerable Adobe Reader for infection. 3) When you place the cursor over a displayed PDF file properties and metadata. If you embed a malformed stream metadata object that takes advantage of a vulnerability can run code with just hover your cursor over the file. This is because Windows to show the tooltip reads metadata via an application (like Adobe Reader). Because, as we have seen, it is not necessary to double click to run the malware, Didier Stevens recommends changing the extension of it: malware.pdf.mal. This will avoid unwanted automatic infections as previously discussed. Before iFilter had spoken of, and it's time for us to know what it is. The content indexer Windows Indexing Service (called Windows Desktop Search in Windows XP and Windows Server 2003), was replaced by Windows Search in Windows Vista and 7. The AcroRdIF.dll IFilter extends the functionality of Windows Indexing Service to index the contents of PDFs. Windows can read and therefore index the contents of certain files, as would any txt, but for specific formats makes use of third-party applications. That's where iFilter into play, because without him the contents of a PDF file can not be parsed and indexed by Windows Search. Put another way, when Windows Search indexes content, not understanding the format of certain searches the registry files the corresponding IFilter. The content indexing daemon (cidaemon.exe) calls Acrobat IFilter (AcroRdIF.dll), which loads the parser (AcroRD32.dll). It is this which is responsible for parsing the content and pass to Windows Search text extracted from the document for indexing. As historical review indicate that in Windows XP SP3, Windows Indexing Service running as System, and therefore also the AcroRdIF DLL. The service did not start automatically, only if expressly activábamos after performing a search as administrator. In Windows Desktop Search 4.0 system also ran, but ran AcroDrIF.dll in a separate process under the Local Service account. Therefore there was an improvement in the design of safety. To avoid exploitation of a vulnerability in Adobe Reader by IFilters, proceed to delete the corresponding registry entry: regsvr32 / u AcroRdIf.dll although, as mentioned before, in the current version X is no longer included. Although there are two possibilities to run the payload of a file automatically (without opening the PDF and without interaction), the authors of malware continues to prefer the use of social engineering to allow users to manually open the PDF. The shellcode embedded in the PDF file could execute any instruction, but the classic shellcode downloads a Trojan. First find the system directory (system32), download a Trojan Internet and stores it in the system directory by running finally. Although there are files containing the Trojan embedded form. In this case the extracted shellcode executable, saves it to disk and run it. Link to comment Share on other sites More sharing options...
markcs64 Posted November 17, 2012 Share Posted November 17, 2012 Re: Auto Infection Thorugh PDF Files thanks for the guide Link to comment Share on other sites More sharing options...
GoRa Posted November 25, 2012 Share Posted November 25, 2012 Re: Auto Infection Thorugh PDF Files thanks for information Link to comment Share on other sites More sharing options...
.webp.8407a83ac96563f75e1c428a1f0d4c3e.webp)
.webp.9a04cec050a656fab081ac190f971c3f.webp)
Hack Tools Resurrection
Recommended Posts