Social engineering, PDFs and banking Trojans

A few days ago our colleague Oscar received an email inviting him to access a Web page by clicking on a link. This is not new. However, on clicking on the link, the following page was displayed (don’t try this at home, kids 😉 ):

As you can see, the page includes a download window inviting visitors to download a file called 60.pdf. As we were curious, we downloaded and opened the file which happened to be a blank PDF. This was a bad sign. On studying the document in detail, we realized the PDF contained different exploits that affected different vulnerabilities, depending on the version of Acrobat Reader installed on the computer.

First vulnerability: CVE-2008-2992

If the version of your PDF file reader is later than v.8, the CVE-2008-2992 vulnerability will be exploited. The vulnerability exploits an error on handling format strings which would cause code execution.

Second vulnerability: CVE-2008-0015

Exploits a vulnerability in readers with versions prior to v.8.

It uses the heap spraying technique which consists of putting a certain sequence of bytes at a predetermined location in the memory in order to run. This technique is commonly used to exploit browser vulnerabilities among others.

Third vulnerability: CVE-2009-0927

Exploit which could allow remote code execution.

The security patches for these vulnerabilities have been around for some time, as these vulnerabilities are not new. However, they seem to be efficient, as they are still being used.

The malware installed was… no, it wasn’t a fake antivirus this time! It was a banking Trojan…

Blog post written on behalf of JJ Ruiz de Loizaga.