Attack come from where?
Most of the attacks in this days are focused on client side attacks, when attacker target company or organization network they face a lot of challenges like IDS, IPS and firewalls which are prevent them to reach the internal network so they basically targeting for examples employees working In the target organization by many methods like phishing attacks or sending Malicious PDF files!
When we start to check the PDF files that exist in our network we may use antivirus scanners but in this days it seems not perfect solution to detect malicious PDF because attackers mostly encrypt it to bypass the antivirus scanners and in many times they target a zero day vulnerability that exit in Adobe Acrobat reader or targeting un updated version, the picture below show how PDF vulnerabilities rising every year
Before we start analyze malicious PDF we going to have a simple look at PDF structures as to understand how the shell code work and where it locate
What is PDF?
PDF document have four main parts (one-line header, body, cross-reference table and trailer)
PDF Header: Which is the first line showing the pdf format version and the most important line that give to you the basic information of the pdf file for example “%PDF-1.4 means that file fourth version
PDF Body: it consist of objects that compose contents of the document, these objects include fonts, images, annotations, text streams. And user can put invisible objects or elements, this objects can interactive with pdf features like animation, security features. The body of the pdf supports two types of numbers (integers, real numbers)
The Cross-Reference Table (xref table): the cross- reference counties links of all objects and elements that exist on file format, you can use this feature to see other pages contents (when the users update the PDF the cross-reference table gets updated automatically)
The Trailer: The trailer contains links to cross-reference table and always ends up with “%%EOF” to identify the end of a PDF file the trailer enables a user to navigate to the next page by clicking on the link provided
Now we will start to install old version of Adobe Acrobat reader 9.4.6 or 10 through to 10.1.1 which are vulnerable to Adobe U3D Memory Corruption Vulnerability
We can create a malicious PDF by Metasploit framework so we can analyze it. Start opens the terminal and type msfconsole
As the picture on right , we going to setting some Metasploit variables to be sure that everything is working fine
- After we select the exploit we are going to choose the payload that will execute during exploitation in the remote target and open Meterpreter session
- choose the LHOST which is our IP address and we can view through typing ifconfig in new terminal
- finally we type exploit to create the PDF file with configuration we created before
The file has been saved on /root/.msf4/local
So we going to move the file to Desktop for easier located by typing in the terminal
root@kali :~# cd /root/.msf4/local
root@kali :~# mv msf.pdf /root/Desktop
Wait for Analysis!
First Notice: The PDF has only one page, maybe its normal.
Rock and Roll !
If we going to start analysis go to the directory of the PDF file then start with syntax /usr/bin/peepdf –f msf.pdf
We use –f option to avoid errors and force the tool to ignore them
The tree commands shows the logical structure of the file, and starting explore object 4 (/AcroForm)
As we see in the picture above when we type object 4 it gave you another objects to explore for now we didn’t see any impotent information or seems suspicious except object 2 (XFA array) that gave us the element <fjdklsaj fodpsaj fopjdsio> and seems to us not continue something special
Let’s move to the another object (Open Action)
Lastline http://www.lastline.com/ which is a technology pioneer dedicated to stopping advanced malware, zero-day attacks, Lastline’s flexible Previct platform provides high-resolution analysis and protection; the required network security foundational layer capable of providing exacting security legacy APT, IPS, AV and next generation firewalls simply cannot see
Malicious PDF files attacks, Lastline able to analyze these attacks by putting the malicious file on evaluation stage before production stage which watch and monitor the malicious files by signature based or malicious behavior
As Dts-solution we are service provider of Lastline in (United Arab Emirates) UAE region we have provide this kind of solutions to financial sectors and other sectors
We defend our network from that type of malicious files by providing
* Keep your Adobe Acrobat Reader up-to-date
* Strong e-mail and web filter, IPS and by Application control
* Block PDF readers from accessing file system and Network resources.
* Security awareness
* It is impossible to prevent someone from sending a PDF file format. The best way to handle this is by using PGP’s signing process. Users may then only open any PDF files sent by trusted PGP’s key and not by email addresses.
Image Courtesy : Sans.org