The good folks over at M86 Security Labs is reporting the first instance of the Zeus data stealing bot taking advantage of the PDF Launch action. You can read the full blog posting here: PDF ‘Launch’ Feature Used to Install Zeus. The malicious actors involved with this instance appear to only have a very small grasp of the capabilities surrounding the Launch action, as this attempt at utilizing the Launch action to carry out badness is very rudimentary. The malicious actors require the targeted user to click through two different warnings dialog boxes and do not take advantage of controlling the second warning dialog box text at all. There intentions are clearly shown in the Launch dialog box as shown in the screen shot:
They also do not take advantage of being able to extract the executable with some crafty scripting to avoid having to use the JavaScript exportDataObject function. This means the malicious code writers delivering this nasty PDF file have not figured out how to get around the requirement to use JavaScript, so by just turning off JavaScript in your PDF reader you will be safe. This is why I would classify this attack attempt as rudimentary at best, with little to no real sophistication. If this was the best the malicious actors have to offer we would have nothing to worry about, but I am afraid this is only the beginning and I am sure we will see far more sophisticated attempts at exploiting the Launch action in the future.
In regards to the vast functionality of the PDF specification I would not only recommend security professionals to look over the PDF specification document that has been referenced all over the Internet these last few weeks “PDF 1.7 Specification“, but also to look over the “JavaScript for Acrobat API Reference” for a better understanding of what is possible and what is to come. If you don’t care for Adobe’s live document viewer you can down load the older version here: JavaScript for Acrobat API Reference, Version 8. One thing to note is that although the PDF specification documentation is very thorough the JavaScript for Acrobat API Reference manual is not. To prove this take a look at this vulnerability CVE 2007-5659 or for a little more details on the vulnerability specific function look here: OSVDB 41495. So the JavaScript function in question is called Collab.collectEmailInfo(), and my challenge for you is simple. Find this Method in the JavaScript for Acrobat API Reference manuals. Bet you can’t find it! Pablo Sole from Immunity claims there are actually 48 members of the Collab JavaScript method all of which only 3 are documented in this presentation: ID_reCON_2008.pdf. Apparently Pablo used the Immunity Debugger to fuzz this method and published his findings. Another interesting thing to note here is that Pablo published this in 2008 and these 45 undocumented members still appear to be undocumented.
