Introducing Gallus Gallus is a web-based malware detection service specifically to extract and analyze suspected malicious PDF documents. It is a free service designed to help security researchers and public to detect exploits and extract other useful information contained in PDF documents. How Gallus Works Gallus is designed to extract and analyze the malicious components […]
From Adobe Reader exploit to Foxit Reader exploit
Today, Gallus received a PDF sample submission with md5 hash 37b98d28762ceeaa5146e2e0fc0a3fdd. Marked as malicious, I was compelled to investigate further on this sample after looking at the potential malware URL produced by Gallus report. The PDF sample contains URLDownloadToFile payload that points to hxxp://77.x.y.Z/webmail/inc/web/load.php?stat=3DWindows. Traversing the URL at hxxp://77.x.y.Z/webmail/inc/web/, I managed to retrieve the HTML […]
PDF Stream Filters – Part 2
It is very interesting to study the obfuscation techniques used by the attackers in malicious PDF docs. As of my previous blog entry, one of the simplest, yet interesting obfuscation technique used is the cascading filtering. This basically means that the malicious JavaScript code is embedded below the multiple layers of encoded stream. In this […]
PDF Stream Filter – Part 1
One of the challenges in analyzing malicious PDF document is stream filtering. Malicious contents in PDF file are usually compressed with stream filtering thus making analysis a bit complicated. In a PDF document , stream object consists of stream dictionary, stream keyword, a sequence of bytes, and endstream keyword. A malicious content inside PDF file […]
Honeynet Project Annual workshop 2010
The Annual Honeynet Project workshop this year was held at Mexico City, Mexico. The workshop enables chapters from all over the globe to meet, discuss ideas, share experiences and develop our toolsets for data collection and analysis. It is an extremely valuable and unique event, where chapters from around 20 countries find the time to […]
Analysis on Java Web Start Argument Injection Exploit
The recent discovery of Java Web Start Argument Injection vulnerability (CVE-2010-0886 and CVE-2010-0887) has opened a new opportunity for the bad guy to utilize it in drive-by download attack. Here is a short write up on the example (in the wild) found early today, which exploiting this vulnerability. The exploit was found on http://buckomre.com/ and […]
Embedded Zbot trojan inside PDF file
We came across this new variant of malicious PDF that contains a ZBot infostealer Trojan. When a user open the PDF file, a pop up will ask the whether the user would like to save a file called Royal_Mail_Delivery_Notice.pdf. The unsuspecting user might assume that the file is just a PDF file, and therefore will […]
Referencing yourself with arguments.callee()
Obfuscation using arguments.callee() in java scripts is widely seen in browser exploitation and malicious PDF attacks. This kind of obfuscation could be a bit tricky to handle for security analyst. The arguments.callee() call is used normally to prevent security analyst from modifying the malicious function. The variable that holds the arguments.callee will be validated in […]
Yara Rule For CVE-2010-0805
The Internet Explorer Tabular Data Control ActiveX Memory Corruption (CVE-2010-0805) exploit was recently ported to Metasploit, so we decided to release the detection rule for Yara. Yes it can also be used with JSunpack! rule MSIETabularActivex { meta: ref = “CVE-2010-0805” impact = 7 hide = true strings: $cve20100805_1 = “333C7BC4-460F-11D0-BC04-0080C7055A83” nocase fullword $cve20100805_2 = […]
/Info does give an info :)
Common PDF dictionary used inside malicious PDF are /Author, /Producer, /Title, and /Subject which use reference from this.info.author, this.info.producer, this.info.title, and this.info.subject respectively. The PDF dictionary mentioned above are located inside the /Info referenced object. This can be identified from the reference variable above (e.g: this.info.title) used inside JavaScript code. For instance; this /* means […]