|
COMMAND PDF files SYSTEMS AFFECTED PDF files PROBLEM Zulu, a virus writer from South America, appears to have discovered that Adobe PDF files can be used to carry computer viruses. The attached description gives the details. His little trick uses a PDF file to bypass the new security feature of Outlook which automatically deletes dangerous file attachments. With this security feature, all VBScript attachments are deleted because they might be computer viruses. However with Zulu's trick, a malicious VBScript file can instead be hidden inside a PDF file which Outlook considers safe. We don't believe that the anti security research and reverse engineering provisions of the DCMA apply here, but given Adobe's recent action against Dmitry Sklyarov, we recommend a bit of caution by anyone looking into this potential security problem in Adobe Acrobat Reader. A conversation with a lawyer might be prudent. Another interesting question is if Adobe formatted eBooks can also act as computer virus carriers. VBScript worm. It uses OUTLOOK to send itself in a PDF (portable document format) file (first using this file type). When opened using Acrobat it will show an image with a minor game. Showing the solution to this game involves doing a double click to a file annotation, which after a warning will run a VBS, VBE or WSF file (depending of the worm version). The VBScript file will create and show a JPG file with the solution to the game and it will try to find the PDF file to spread it. This is necessary because when the link is used, Acrobat will create the VBS, VBE or WSF file in Windows' temporary directory and it will run this file, so this VBScript file doesn't know the path of the PDF file to spread. Then it will start the spreading code using a way of using OUTLOOK not seen before in any worm (spreading details can be found in the features section of this file). The password for changing the security options of the PDF file is "OUTLOOK.PDFWorm". This worm is designed to be a proof of concept, it has bad spreading capabilities, only the necessary to be called a worm. Also, because file annotations are only available in the full version of Acrobat, this worm will not run in Acrobat Reader. Features: - Uses the PDF extension, not seen before in any virus/worm. - OUTLOOK spreading using new code, not the classic Melissa's code and it's variations like the one from Freelink. This new method will get addresses from the recipients of all emails in any OUTLOOK folder and from all address book entries (but taking the first three addresses of each contact, not just the first like most OUTLOOK worms). This new method is based in the possibility of reaching contacts from OUTLOOK folders instead of using the objects designed to read address books. So the code will look inside all OUTLOOK folders, and if the items inside them are emails or contacts, it will get those addresses. Subject, body and attachment name will be selected from some random choices. Also, it will limit the amount of emails to 100. It will be run only once in each computer since it uses the registry to check if it was already run. - Good social engineering. We even think that this PDF file would be manually sent by many of those users that are never tired of sending stupid jokes. - To find the PDF file, if Word is installed it will use it to do the search, if Word is not installed, it will search for the file using VBScript code looking in many common paths and all subdirectories of those paths. Both methods will look for PDF files with their size similar to the original worm copy. - Uses script encoding (in version 1.1 and 1.2). - The VBScript file shows a JPG file when run, so it will show what the user expects. Zulu was starting another project, much bigger and with good spreading capabilities. But that was very delayed because of time problems, so he decided to try with PDF files first and then continue with the other worm when he has time. He saw four possibilities: - Using JavaScript with "mailMsg" method. It would only work in the full version of Acrobat. By using the "mailMsg" method (which uses MAPI) I could send an email message when the document is opened (page open action). But the problem was that he was not able of getting email addresses to send the message to. - Using the Acrobat menu. It would only work in the full version of Acrobat. He could use the "Send Mail..." menu option, calling it when the document is opened (page open action). That would open a window from the default email client with the attachment already added. Here the problem was how to send the necessary keys to send the message that was already opened in that window. - Using open file action. It would work in Acrobat and in Acrobat Reader. It displays a warning. By creating an open file action when the document is opened he could run any file with any code inside it. But the problem was that he had no file to run. This method could work for a trojan that runs "FORMAT.COM", but not for a worm. - Using a file annotation. It would only work in the full version of Acrobat. It displays a warning. Creating a file annotation with my file embedded inside the PDF file he could run his code. Acrobat would create the embedded file in the temporary directory and it would run the file from there. This has two problems. One was knowing the path of the PDF file, this was solved by searching the file in the hard disk since looking in the task name would only give the file name, not the full path. The other problem is that it's not possible to open a file annotation automatically when the PDF file is opened since there is no action to do that and it seems that there is no way of getting the file using JavaScript code, so it was necessary that the user manually double clicked the file annotation. This last problem was not solved. SOLUTION This should not be that surprising - the recent joint announcement by NAI/McAfee and Adobe that the former was researching the ability to scan PDF files should have raised a few people's suspicions... It turns out that Adobe has decided that PDF files should not jsut be "document files" (i.e. "data") but should be able to support embedding of other types of file objects. We believe the mechanism Adobe chose to support this is OLE, thus turning PDF files into something loosely akin to Windows Shell Scrap (SHS) files. Not only does the current rev of the Outlook Security Update consider PDF files "safe" but most users will too, as historically PDF files have been "pure document files". It is interesting that Adobe has apaprently not learnt anything from the history of such developments -- the least it could have done were it a security sensitive developer with the faintest glimmer of understanding of the history of such things would have been to make the reader software require different formats for (potentially dangerous) "documents" (those that contain embedded objects) and the pure ("old") PDF format. This way content management is made much easier and intelligent users would simply block the "new" format so as to not ahve to worry about the increased risk associated with it. And, of course, therein the reason Adobe would not do this -- why add a threat-increasing option to your product if you then make it entirely optional whether the threat could be leveraged?? It is an interesting reflection on the thinking of Adobe that it approached antivirus developers to have them add handling of their new file formats rather than attempt to ameliorate the threat escalation they were deliberately, and clearly (from that very action) knowingly, introducing with this change... Is encryption really the problem as far as viruses are concerned? Decryption requires manual intervention by the user, and after that the problem is the same as before: applications that execute stuff automatically by default, or make it easy to circumvent any safeguards the user may have set. The new threat is that a hitherto unused file format is now used as a vector. Big deal.