This is a worrying development, just posted to the BugTraq mailing list
- essential reading for anyone concerned with computer security:
http://www.securityfocus.com
It also gives some insight into the minds of people who write
potentially malicious programs. Perhaps the writer quoted below (Zulu)
is more interested in proving he can break systems, and in getting the
systems improved, than actually going out and creating a secret
malicious program to wreak havoc. (Otherwise, why would a write a
document such as this, and why would he put it on his web site?) Perhaps
it is the satisfiction of devising a way of inserting yourself into
other people's things, even if you don't actually do it. Also, perhaps,
the satisfaction and social cachet of developing a new means of security
intrusion, by discovering vulnerabilities and inventing ways of
explointing them.
I have reformatted the Zulu text, which is just part of what is at his
site.
- Robin
-------- Original Message --------
Subject: Adobe PDF files can be used as virus carriers
Date: Tue, 7 Aug 2001 11:44:20 -0400
From: rms@privacyfoundation.org (Richard M. Smith)
To: <bugtraq@securityfocus.com>
Hello,
This is an interesting development. Zulu, a virus writer from South
America, appears to have discovered that Adobe PDF files can be used to
carry computer viruses. The attached description gives the details.
His little trick uses a PDF file to bypass the new security feature of
Outlook which automatically deletes dangerous file attachments. With
this security feature, all VBScript attachments are deleted because they
might be computer viruses. However with Zulu's trick, a malicious
VBScript file can instead be hidden inside a PDF file which Outlook
considers safe.
I don't believe that the anti security research and reverse engineering
provisions of the DCMA apply here, but given Adobe's recent action
against Dmitry Sklyarov, I recommend a bit of caution by anyone looking
into this potential security problem in Adobe Acrobat Reader. A
conversation with a lawyer might be prudent.
Another interesting question is if Adobe formatted eBooks can also act
as computer virus carriers.
Richard M. Smith
CTO, Privacy Foundation
http://www.privacyfoundation.org
====================================================================
http://www.coderz.net/zulu/outlook.pdfworm.txt
Virus Name: OUTLOOK.PDFWorm
Author: Zulu
Origin: Argentina
VBScript worm. It uses OUTLOOK to send itself in a PDF (portable
document format) file (first using this file type).
When opened using Acrobat it will show an image with a minor game.
Showing the solution to this game involves doing a double click to a
file annotation, which after a warning will run a VBS, VBE or WSF file
(depending of the worm version).
The VBScript file will create and show a JPG file with the solution to
the game and it will try to find the PDF file to spread it. This is
necessary because when the link is used, Acrobat will create the VBS,
VBE or WSF file in Windows' temporary directory and it will run this
file, so this VBScript file doesn't know the path of the PDF file to
spread.
Then it will start the spreading code using a way of using OUTLOOK not
seen before in any worm (spreading details can be found in the features
section of this file).
The password for changing the security options of the PDF file is
"OUTLOOK.PDFWorm".
This worm is designed to be a proof of concept, it has bad spreading
capabilities, only the necessary to be called a worm. Also, because file
annotations are only available in the full version of Acrobat, this worm
will not run in Acrobat Reader.
Features:
- Uses the PDF extension, not seen before in any virus/worm.
- OUTLOOK spreading using new code, not the classic Melissa's code and
it's variations like the one from Freelink.
This new method will get addresses from the recipients of all emails
in any OUTLOOK folder and from all address book entries (but taking
the first three addresses of each contact, not just the first like
most OUTLOOK worms).
This new method is based in the possibility of reaching contacts from
OUTLOOK folders instead of using the objects designed to read address
books. So the code will look inside all OUTLOOK folders, and if the
items inside them are emails or contacts, it will get those addresses.
Subject, body and attachment name will be selected from some random
choices. Also, it will limit the amount of emails to 100.
It will be run only once in each computer since it uses the registry
to check if it was already run.
- Good social engineering. I even think that this PDF file would be
manually sent by many of those users that are never tired of sending
stupid jokes. :)
- To find the PDF file, if Word is installed it will use it to do the
search, if Word is not installed, it will search for the file using
VBScript code looking in many common paths and all subdirectories of
those paths. Both methods will look for PDF files with their size
similar to the original worm copy.
- Uses script encoding (in version 1.1 and 1.2).
- The VBScript file shows a JPG file when run, so it will show what the
user expects.
Background information:
I was starting another project, much bigger and with good spreading
capabilities. But that was very delayed because of time problems, so I
decided to try with PDF files first and then continue with the other
worm when I have time.
I saw four possibilities:
- Using JavaScript with "mailMsg" method.
It would only work in the full version of Acrobat.
By using the "mailMsg" method (which uses MAPI) I could send an email
message when the document is opened (page open action).
But the problem was that I was not able of getting email addresses to
send the message to.
- Using the Acrobat menu.
It would only work in the full version of Acrobat.
I could use the "Send Mail..." menu option, calling it when the
document is opened (page open action). That would open a window from
the default email client with the attachment already added.
Here the problem was how to send the necessary keys to send the
message that was already opened in that window.
- Using open file action.
It would work in Acrobat and in Acrobat Reader. It displays a warning.
By creating an open file action when the document is opened I could
run any file with any code inside it. But the problem was that I had
no file to run. This method could work for a trojan that runs
"FORMAT.COM", but not for a worm.
- Using a file annotation.
It would only work in the full version of Acrobat. It displays a
warning. Creating a file annotation with my file embedded inside the
PDF file I could run my code. Acrobat would create the embedded file
in the temporary directory and it would run the file from there.
This has two problems. One was knowing the path of the PDF file, this
was solved by searching the file in the hard disk since looking in the
task name would only give the file name, not the full path. The other
problem is that it's not possible to open a file annotation
automatically when the PDF file is opened since there is no action to
do that and it seems that there is no way of getting the file using
JavaScript code, so it was necessary that the user manually double
clicked the file annotation. This last problem was not solved.
This archive was generated by hypermail 2.1.1 : Fri Aug 31 2001 - 03:10:03 EST