F-Secure: Malicious PDFs Targeting Defense Contractors

Wednesday, July 20, 2011



Researchers from security provider F-Secure have discovered a sample of a malicious PDF that may be used in a targeted attack against defense contractor employees.

The attack exploits a vulnerability in Javascript that allows malicious code to be embedded in the file, which then infects the victim's computer and can create a backdoor that hackers can use to access systems and glean sensitive information.

From the F-Secure team:

"We found this sample last week (md5: f393f34f268ddff34521d136e5555752). It's a PDF file, apparently sent to an employee of a targeted company as an email attachment."

"When opened in Adobe Reader, it exploits a known Javascript vulnerability and drops a file called lsmm.exe. This is a backdoor that connects back to the attacker, who is waiting at IP addresses and"

"After this, a decoy PDF file is shown to the end user. The decoy is a call for papers for 2012 AIAA Strategic and Tactical Missile Systems Conference, which is a US conference classified as SECRET":

AIAA Strategic and Tactical Missile Systems Conference (SECRET/U.S. ONLY)

"The target of this attack is not known to us,"
the F-Secure report concluded.

Exploitation of Adobe products, including the company's Flash player and the ubiquitous PDF file have been a major concern for security professionals for some time.

Earlier this year, an analyst released some stunning findings on security bugs in Adobe PDF documents at the 27th Chaos Communication Congress in Berlin, Germany.

Julia Wolf, a researcher with the company FireEye, identified several flaws in the portable document file standard that can produce some serious vulnerabilities.

One finding showed the ability for a PDF to contain code for a database scanner that activates when the document is sent to a hub printer and can scan the entire network.

Another of Wolf's findings shows how the same PDF document can display different text when viewed with various browsers, readers and operating systems.

Wolf also highlighted other vulnerabilities with the document format that can be exploited to carry out attacks by activating malicious programs in Acrobat Reader, and by the format's ability to support features with flawed code like JavaScript, Flash files, digital rights management options and XML.

The problems are compounded by the fact that most antivirus software does not detect malicious code in PDF documents, noting that 40 AVs tested did not pick up the threats even when the malware advisories were several months old.

If the malicious code was compressed or in Javascript, the success rate for detection even lower.

A vulnerability in Adobe's Flash Player had opened the door for attackers in the recent hack of security vendor RSA that compromised the company's SecurID two-factor authentication product. In a targeted attack, hackers sent emails to a select group of RSA employees which contained a spreadsheet attachment titled "2011 Recruitment plan.xls."

The attachment contained malware that exploited a flaw in the Adobe software that enabled the attackers to use a version of the Poison Ivy remote administration tool (RAT) to glean authentication credentials that allowed access to other systems in the company's network.

The subsequent breaches at Lockheed Martin, L-3 Communications and Northrop Grumman appear to have utilized data that was stolen in the RSA SecurID hack.

Possibly Related Articles:
Viruses & Malware
Adobe malware Javascript Defense Attack Vulnerabilities Advanced Persistent Threats Exploits PDF National Security SecurID Targeted Attacks F-Secure
Post Rating I Like this!
Kevin McAleavey Poison Ivy has been around since 2003 and went widespread in 2006. Fabulous job, AV dudes. Back when I did BOClean, we had those and their variants covered the first day of their releases from their host side, chasenet.org.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked