Another challenge is ready to be tackled by forensic analysts, students, hackers and alike. This time, we present you with an attack vector that has become quite successful: malicious PDF files! For challenge 6 of our series (provided by Mahmud Ab Rahman and Ahmad Azizan Idris from the Malaysia Honeynet Project Chapter) we present you […]
Antaramuka Pengaturcaraan Aplikasi untuk VirusTotal
Virustotal telah menjadi salah sebuah tempat rujukan yang sangat berguna dalam memastikan sesebuah fail itu berbahaya atau tidak. Jika dilihat dari sisi hadapan, virustotal telah mengumpulkan antivirus-antivirus yang terkenal sebagai enjin untuk memberitahu tentang status sesebuah fail yang ingin dikesan. Ini ketara keberkesanannya dari sudut keutuhan sesebuah keputusan, yang mana, rujukan silang (cross-reference) diantara kesemua […]
Update for Gallus Nov 3, 2010
Here are some of the major changes in the recent Gallus: Improved extraction of malform PDF object structure Added CAPTCHA functionality within sample submission Integrate virustotal API as ‘two-factor verification’ of sample analysis Added support for Adobe LibTIFF exploit analysis and detection If you happen to come across with error/bugs while using Gallus, feel free […]
No endstream, no endobj, no worries
In analyzing malicious PDF documents, being able to understand the format of its object structure is definitely useful. In order to look for malicious content inside the file, we might need to go through some of the process that’ll include interpreting the PDF object structure. The PDF object is enclosed with “obj” and “endobj”. Between […]
Gallus, yet another PDF analyzer (alpha)
Introducing Gallus Gallus is a web-based malware detection service specifically to extract and analyze suspected malicious PDF documents. It is a free service designed to help security researchers and public to detect exploits and extract other useful information contained in PDF documents. How Gallus Works Gallus is designed to extract and analyze the malicious components […]
From Adobe Reader exploit to Foxit Reader exploit
Today, Gallus received a PDF sample submission with md5 hash 37b98d28762ceeaa5146e2e0fc0a3fdd. Marked as malicious, I was compelled to investigate further on this sample after looking at the potential malware URL produced by Gallus report. The PDF sample contains URLDownloadToFile payload that points to hxxp://77.x.y.Z/webmail/inc/web/load.php?stat=3DWindows. Traversing the URL at hxxp://77.x.y.Z/webmail/inc/web/, I managed to retrieve the HTML […]
PDF Stream Filters – Part 2
It is very interesting to study the obfuscation techniques used by the attackers in malicious PDF docs. As of my previous blog entry, one of the simplest, yet interesting obfuscation technique used is the cascading filtering. This basically means that the malicious JavaScript code is embedded below the multiple layers of encoded stream. In this […]
PDF Stream Filter – Part 1
One of the challenges in analyzing malicious PDF document is stream filtering. Malicious contents in PDF file are usually compressed with stream filtering thus making analysis a bit complicated. In a PDF document , stream object consists of stream dictionary, stream keyword, a sequence of bytes, and endstream keyword. A malicious content inside PDF file […]
Embedded Zbot trojan inside PDF file
We came across this new variant of malicious PDF that contains a ZBot infostealer Trojan. When a user open the PDF file, a pop up will ask the whether the user would like to save a file called Royal_Mail_Delivery_Notice.pdf. The unsuspecting user might assume that the file is just a PDF file, and therefore will […]
Referencing yourself with arguments.callee()
Obfuscation using arguments.callee() in java scripts is widely seen in browser exploitation and malicious PDF attacks. This kind of obfuscation could be a bit tricky to handle for security analyst. The arguments.callee() call is used normally to prevent security analyst from modifying the malicious function. The variable that holds the arguments.callee will be validated in […]