Adobe reader vulnerability demo [Anatomy of an Attack online]
Uploaded by SophosLabs on 19.06.2012
Transcript:
Welcome to a demonstration of the Adobe Reader vulnerability.
I'm Chester Wisniewski, Senior Security Advisor here at Sophos.
The purpose of this demonstration is to show a recent vulnerability in
Adobe Reader that allow random content to be downloaded from the internet.
In many ways,
this is a typical piece of malware that is designed around social engineering.
We've done a pretty good job about teaching people not to open up executable
attachments in their email,
screensavers,
and more. But PDFs and Office files don't raise red flags with most people.
This makes documents a great way for malicious people to infiltrate your environment.
Let me show you.
This PDF avoids a lot of security features in Windows,
like Date Execution Prevention and Address Space Layout Randomization.
What's going to happen when I launch it is:
it's going to load the PDF into Adobe Reader;
Adobe Reader's going to crash;
and when crashes it's going to download a file from the internet.
To prepare for this I'm going to briefly launch Wireshark, which is a packet capture application.
and we'll be able to see the retrieval of that malicious file from the internet.
I'm going to launch the PDF.
It goes and downloads an executable from the internet, runs the file, and then it loads a
decoy PDF so you don't notice that it crashed.
The decoy PDF displays the content that you were expecting.
In this case, the spam that sent this message was a message telling you that
it was a PDF about a golf clinic from David Leadbetter that's going to give you
tips on how to be a better golfer.
For the purposes of this demo, I've rigged this to launch Notepad, rather than the
original malware.
We can see Notepad in the background
and the decoy PDF is loaded. We've been pwned.
Next, I'll close the PDF.
And if we go back and look at Wireshark, we can see the conversation that
occurred over the internet.
When I launched Adobe Reader,
it went, did a web request, and tried to grab "wincrng.exe".
I'd set up up the host
to serve up Notepad, and we can see that it did a web request and downloaded the
Notepad application rather than the original payload.
The clever part about this malware
is that the approach they have taken can trick almost anyone.
It's quite a simple trick.
And the fact is that, while this vulnerability is specific to Adobe Reader,
the same attack could happen with any application.
It's also very sophisticated in that it uses a stolen digital certificate
to trick Windows into executing the attack without the user noticing.
We saw this with the Stuxnet worm, and this is a new trend.
We've been seeing this historically, on and off, but rarely are they valid certificates.
And in this case, it's a real certificate, from a real credit union.
They digitally sign the the malware so that anything that's deciding that it's
OK to allow digitally-signed code to run
will fall victim to this attack.
Now I'm going to open up the captured file here,
and within the logs, I've got a copy of everything that this malware planted on the system.
If we look at the malware that it's downloaded from the actual malicious
site, we see that it's got a tab "Digital Signatures".
And in that tab, we can see it's been signed by "secure2.eeu.com."
If we look at the details for that,
we can view the certificate here.
We can see that it's a valid certificate; it was issued by Verisign; and it expires
in October 2010.
Because the malware was signed before this date, the malware will remain properly signed even if the
certificate is revoked.
Fortunately,
part of the purpose of digitally signing things is that certificates can be
revoked if they've been determined to have been compromised.
I've downloaded a copy of the latest Certificate Revocation List from Verisign.
If we scroll down, we can match the serial number to the one that we see in the
revocation list, and it's been revoked.
From this point forward, nothing signed with this certificate will be valid.
So that's a small success for certificate validation - but, unfortunately,
revocation is not retroactive, and there may still be malware out there using this certificate.
This is all quite interesting. It goes to show how something as simple as opening
a PDF can put your PC at risk.
This is one reason why it's very important that we remember to patch all
of our applications, and not just think about patching Windows,
or our browsers,
but also helper applications like Acrobat, and iTunes, and WinZip,
and other things
that can be a gateway into your network for your users to be tricked.
It's unlikely we are going to start blocking PDF files at our email or web gateways.
That web filtering scans for malware specifically is essential to protecting
your PCs against these threats.
Another way
is staying informed, and we can help with that.
Check out the related resources we provided on this topic,
or sign up for a live "Anatomy of an Attack" event in a community near you.
I'm Chester Wisniewski, Senior Security Advisor here at Sophos.
The purpose of this demonstration is to show a recent vulnerability in
Adobe Reader that allow random content to be downloaded from the internet.
In many ways,
this is a typical piece of malware that is designed around social engineering.
We've done a pretty good job about teaching people not to open up executable
attachments in their email,
screensavers,
and more. But PDFs and Office files don't raise red flags with most people.
This makes documents a great way for malicious people to infiltrate your environment.
Let me show you.
This PDF avoids a lot of security features in Windows,
like Date Execution Prevention and Address Space Layout Randomization.
What's going to happen when I launch it is:
it's going to load the PDF into Adobe Reader;
Adobe Reader's going to crash;
and when crashes it's going to download a file from the internet.
To prepare for this I'm going to briefly launch Wireshark, which is a packet capture application.
and we'll be able to see the retrieval of that malicious file from the internet.
I'm going to launch the PDF.
It goes and downloads an executable from the internet, runs the file, and then it loads a
decoy PDF so you don't notice that it crashed.
The decoy PDF displays the content that you were expecting.
In this case, the spam that sent this message was a message telling you that
it was a PDF about a golf clinic from David Leadbetter that's going to give you
tips on how to be a better golfer.
For the purposes of this demo, I've rigged this to launch Notepad, rather than the
original malware.
We can see Notepad in the background
and the decoy PDF is loaded. We've been pwned.
Next, I'll close the PDF.
And if we go back and look at Wireshark, we can see the conversation that
occurred over the internet.
When I launched Adobe Reader,
it went, did a web request, and tried to grab "wincrng.exe".
I'd set up up the host
to serve up Notepad, and we can see that it did a web request and downloaded the
Notepad application rather than the original payload.
The clever part about this malware
is that the approach they have taken can trick almost anyone.
It's quite a simple trick.
And the fact is that, while this vulnerability is specific to Adobe Reader,
the same attack could happen with any application.
It's also very sophisticated in that it uses a stolen digital certificate
to trick Windows into executing the attack without the user noticing.
We saw this with the Stuxnet worm, and this is a new trend.
We've been seeing this historically, on and off, but rarely are they valid certificates.
And in this case, it's a real certificate, from a real credit union.
They digitally sign the the malware so that anything that's deciding that it's
OK to allow digitally-signed code to run
will fall victim to this attack.
Now I'm going to open up the captured file here,
and within the logs, I've got a copy of everything that this malware planted on the system.
If we look at the malware that it's downloaded from the actual malicious
site, we see that it's got a tab "Digital Signatures".
And in that tab, we can see it's been signed by "secure2.eeu.com."
If we look at the details for that,
we can view the certificate here.
We can see that it's a valid certificate; it was issued by Verisign; and it expires
in October 2010.
Because the malware was signed before this date, the malware will remain properly signed even if the
certificate is revoked.
Fortunately,
part of the purpose of digitally signing things is that certificates can be
revoked if they've been determined to have been compromised.
I've downloaded a copy of the latest Certificate Revocation List from Verisign.
If we scroll down, we can match the serial number to the one that we see in the
revocation list, and it's been revoked.
From this point forward, nothing signed with this certificate will be valid.
So that's a small success for certificate validation - but, unfortunately,
revocation is not retroactive, and there may still be malware out there using this certificate.
This is all quite interesting. It goes to show how something as simple as opening
a PDF can put your PC at risk.
This is one reason why it's very important that we remember to patch all
of our applications, and not just think about patching Windows,
or our browsers,
but also helper applications like Acrobat, and iTunes, and WinZip,
and other things
that can be a gateway into your network for your users to be tricked.
It's unlikely we are going to start blocking PDF files at our email or web gateways.
That web filtering scans for malware specifically is essential to protecting
your PCs against these threats.
Another way
is staying informed, and we can help with that.
Check out the related resources we provided on this topic,
or sign up for a live "Anatomy of an Attack" event in a community near you.