Sunday, March 1, 2009

A Little Malware Research: article 200905

The past few days I decided to wade into some application security and forensics; especially down at the assembly language level. Since my last post I have been playing with the malicious PDF I downloaded from the Internet into a VM with Windows 2000 Professional SP 4. I have installed Adobe 9.0 and FoxIT readers. I used Sysinternals Filemon, Regmon, Olly DBG, and Win Diff to try and determine what exactly was being done by this PDF to see if there was any further malicious activity other than crashing the Adobe program. The only suspicious activity I saw was what appeared to be a reading of the root of the C drive but keep in mind I am not a forensics expert and the only coding I do are simple administration scripts with shell, VB and PERL (I am planning on adding Python to that list soon).

My process started with a clean 2000 Pro VM with Adobe 9.0 and FoxIT installed, from here I took a snapshot to always revert back to.

I downloaded the malicious PDF onto the VM without incident then opened it with Adobe reader which after some struggling finally crashed.

I then reverted back to my snapshot this time disabling the Java in Adobe and I again downloaded the malicious PDF and opened it. A dialog box announced I would need to enable Java to open the attachment and asked if I wanted to enable Java; I selected not to and immediately Adobe Reader crashed.

During each test I had Filemon running. I went to compare the crashes with each other. The Adobe Reader processes were cranking along just fine until a call for Java was made at which point the one with Java disabled reported an attribute error and the other went ahead and loaded Java; as was expected. (Click the image for a larger view)

The processes fell in sync again until a call to glob.js was called and executed. I am not sure what glob.js does but when I see glob I think of searches and reg-ex; my Google searches did not produce much.

The processes synced up again until a 3rd and final time when the reader program with Java disabled made a call to admplugin.apl which according to is the Adobe Dialog Manager, which is probably what asked me to enable Java, and the reader that had Java enabled started making reads to the root of my C:\ drive. That is where I would throw a flag; but interesting that I never saw a WRITE.

I also used Windiff to compare before and after registry settings of opening with the PDF with and with out Java I really saw no critical changes there, also using Regmon I compared the two and did not see anything that stood out.

I did attach the Adobe Reader process as well and watched it crash in a debugger, again nothing really stood out to me, but that could be lack of knowledge of the code processes down at such a low level.

Using CamStudio I captured the crashing of the Adobe application as well as FoxIT successfully opening the malicious PDF. Nothing too exciting, the apps just crash. It was interesting to see Foxit open the PDF to see what was inside.

The first video is with Java enabled

This is with Java disabled

And this opening the document with FoxIT

Overall this was just a fun exercise to get my hands dirty with some very basic application and forensic investigation. The PDF I was using had already been crafted but could easily be re-engineered to be more malicious. Even more concerning is that at the same site where I grabbed this PDF there is another download of a PERL script that was created to easily produce these malicious PDFs. Opening the script in notepad one can easily see how to create such a PDF and modify it to their liking.