Tuesday, August 31, 2010

PDF Revision 3 Encryption

I just wanted to give a quick shout out to i♥cabbages for their very useful post on PDF Revision 3 encryption and the mysterious unpublished algorithm. I'm currently working on bringing more of the PDF encryption methods into the PDF Examiner.

Currently Revision 4 AES V2 is working pretty well, just in the process of adding Revision 2 40-128 bit RC4 support and researching Revision 1 (40 bit RC4) and 3 (RC4+some XORing).

Thanks to those that provided samples, please flag any failures to me and I'll do my best to add them as well.

Monday, August 30, 2010

encrypted pdf part 2 - with the online pdf examiner and object dissector

A couple posts ago I talked about do-it-yourself AESV2 PDF decryption, now it's time to get into the analysis of the PDF Javascript payload. The free online MalwareTracker.com PDF Examiner 1.0 is very helpful to handle the parsing of the PDF and locating the objects that have weird obfuscated Javascript (you can use our PDF analysis tool here.)

After uploading the PDF at http://www.malwaretracker.com/pdf.php, we get the following page which highlights that object 47 generation 0 has some javascript obfuscation going on:


In the left column you can see objects which have something bad detected in them, show up as red, objects with streams of any sort of content show up as green, and the smaller xref and document info objects are grey and of minimal value to finding the exploits. As you can see below when you click on the suspected bad object, we are presented with a hex view which clearly shows we've found a Javascript block (remember this would also normally have been tricky to track down with other PDF parsers as this is also AES V2 128 bit encrypted).


Now keeping with the on-the-go quick analysis we've designed these online tools for - you can click the View Obj Raw to see the decoded object's content for an easy copy-paste:

The javascript object isn't super pretty to look at:
Now Javascript in exploits is usually pretty messy, we can copy paste the above code over to http://jsbeautifier.org/ which has a great online tool to clean up that messy js code.

Now here's where we can see there's all sorts of messy obfuscated code using some mathematical tricks to evade decoding. However, notice the eval in the last line of the code? We can save a lot of time by simply changing the eval to document.write and let the attacker's code work against them:


Then over to our PC, we can create a simple javascript html file to open in our favorite browser:


Opening this in a web browser reveals the de-obfuscated javascript:
And over to the javascript beautifier again:

We can clearly see the potpourri of exploits we've been presented with:
this.media.newPlayer(null) -> is CVE-2009-4324
util.printd("DAbRSENUPTBrlwPSTcwaybxlFnvNzcMRwJvG", new Date()) -> is CVE-2008-2992
Collab.collectEmailInfo -> CVE-2007-5659
app.doc.Collab.getIcon -> CVE-2009-0927

The deobfuscation also revealed the shellcode, we're not going to get into that here, but will remind everyone that we have a online nasm viewer (with our own annotations) over at http://www.malwaretracker.com/shellcode.php which also lets you add an xor key to try unpacking the shellcode yourself.

That's all for now :)

Saturday, August 28, 2010

PDF dissector tool online

Check out our new PDF analysis platform Malware Tracker PDF Examiner 1.0 at http://www.malwaretracker.com/pdf.php. Our new PDF dissector will process normal compressed or encrypted (AESV2) PDFs into objects for viewing, scan for known exploit CVE's or obfuscated javascript, and export decoded data to file. Upload and analyze PDFs on the go for free.