COMMAND
PDF files
SYSTEMS AFFECTED
PDF files
PROBLEM
Zulu, a virus writer from South America, appears to have
discovered that Adobe PDF files can be used to carry computer
viruses. The attached description gives the details. His little
trick uses a PDF file to bypass the new security feature of
Outlook which automatically deletes dangerous file attachments.
With this security feature, all VBScript attachments are deleted
because they might be computer viruses. However with Zulu's
trick, a malicious VBScript file can instead be hidden inside a
PDF file which Outlook considers safe.
We don't believe that the anti security research and reverse
engineering provisions of the DCMA apply here, but given Adobe's
recent action against Dmitry Sklyarov, we recommend a bit of
caution by anyone looking into this potential security problem in
Adobe Acrobat Reader. A conversation with a lawyer might be
prudent. Another interesting question is if Adobe formatted
eBooks can also act as computer virus carriers.
VBScript worm. It uses OUTLOOK to send itself in a PDF (portable
document format) file (first using this file type). When opened
using Acrobat it will show an image with a minor game. Showing
the solution to this game involves doing a double click to a file
annotation, which after a warning will run a VBS, VBE or WSF file
(depending of the worm version). The VBScript file will create
and show a JPG file with the solution to the game and it will try
to find the PDF file to spread it. This is necessary because
when the link is used, Acrobat will create the VBS, VBE or WSF
file in Windows' temporary directory and it will run this file,
so this VBScript file doesn't know the path of the PDF file to
spread. Then it will start the spreading code using a way of
using OUTLOOK not seen before in any worm (spreading details can
be found in the features section of this file).
The password for changing the security options of the PDF file is
"OUTLOOK.PDFWorm". This worm is designed to be a proof of
concept, it has bad spreading capabilities, only the necessary to
be called a worm. Also, because file annotations are only
available in the full version of Acrobat, this worm will not run
in Acrobat Reader.
Features:
- Uses the PDF extension, not seen before in any virus/worm.
- OUTLOOK spreading using new code, not the classic Melissa's
code and it's variations like the one from Freelink. This new
method will get addresses from the recipients of all emails in
any OUTLOOK folder and from all address book entries (but
taking the first three addresses of each contact, not just the
first like most OUTLOOK worms). This new method is based in
the possibility of reaching contacts from OUTLOOK folders
instead of using the objects designed to read address books.
So the code will look inside all OUTLOOK folders, and if the
items inside them are emails or contacts, it will get those
addresses. Subject, body and attachment name will be selected
from some random choices. Also, it will limit the amount of
emails to 100. It will be run only once in each computer since
it uses the registry to check if it was already run.
- Good social engineering. We even think that this PDF file would
be manually sent by many of those users that are never tired of
sending stupid jokes.
- To find the PDF file, if Word is installed it will use it to do
the search, if Word is not installed, it will search for the
file using VBScript code looking in many common paths and all
subdirectories of those paths. Both methods will look for PDF
files with their size similar to the original worm copy.
- Uses script encoding (in version 1.1 and 1.2).
- The VBScript file shows a JPG file when run, so it will show
what the user expects.
Zulu was starting another project, much bigger and with good
spreading capabilities. But that was very delayed because of
time problems, so he decided to try with PDF files first and then
continue with the other worm when he has time. He saw four
possibilities:
- Using JavaScript with "mailMsg" method.
It would only work in the full version of Acrobat. By using
the "mailMsg" method (which uses MAPI) I could send an email
message when the document is opened (page open action). But
the problem was that he was not able of getting email addresses
to send the message to.
- Using the Acrobat menu.
It would only work in the full version of Acrobat. He could
use the "Send Mail..." menu option, calling it when the document
is opened (page open action). That would open a window from the
default email client with the attachment already added. Here
the problem was how to send the necessary keys to send the
message that was already opened in that window.
- Using open file action.
It would work in Acrobat and in Acrobat Reader. It displays a
warning. By creating an open file action when the document is
opened he could run any file with any code inside it. But the
problem was that he had no file to run. This method could work
for a trojan that runs "FORMAT.COM", but not for a worm.
- Using a file annotation.
It would only work in the full version of Acrobat. It displays
a warning. Creating a file annotation with my file embedded
inside the PDF file he could run his code. Acrobat would create
the embedded file in the temporary directory and it would run
the file from there.
This has two problems. One was knowing the path of the PDF
file, this was solved by searching the file in the hard disk
since looking in the task name would only give the file name,
not the full path. The other problem is that it's not possible
to open a file annotation automatically when the PDF file is
opened since there is no action to do that and it seems that
there is no way of getting the file using JavaScript code, so
it was necessary that the user manually double clicked the file
annotation. This last problem was not solved.
SOLUTION
This should not be that surprising - the recent joint announcement
by NAI/McAfee and Adobe that the former was researching the
ability to scan PDF files should have raised a few people's
suspicions... It turns out that Adobe has decided that PDF files
should not jsut be "document files" (i.e. "data") but should be
able to support embedding of other types of file objects. We
believe the mechanism Adobe chose to support this is OLE, thus
turning PDF files into something loosely akin to Windows Shell
Scrap (SHS) files.
Not only does the current rev of the Outlook Security Update
consider PDF files "safe" but most users will too, as historically
PDF files have been "pure document files". It is interesting that
Adobe has apaprently not learnt anything from the history of such
developments -- the least it could have done were it a security
sensitive developer with the faintest glimmer of understanding of
the history of such things would have been to make the reader
software require different formats for (potentially dangerous)
"documents" (those that contain embedded objects) and the pure
("old") PDF format. This way content management is made much
easier and intelligent users would simply block the "new" format
so as to not ahve to worry about the increased risk associated
with it.
And, of course, therein the reason Adobe would not do this -- why
add a threat-increasing option to your product if you then make it
entirely optional whether the threat could be leveraged?? It is
an interesting reflection on the thinking of Adobe that it
approached antivirus developers to have them add handling of
their new file formats rather than attempt to ameliorate the
threat escalation they were deliberately, and clearly (from that
very action) knowingly, introducing with this change...
Is encryption really the problem as far as viruses are concerned?
Decryption requires manual intervention by the user, and after
that the problem is the same as before: applications that execute
stuff automatically by default, or make it easy to circumvent any
safeguards the user may have set. The new threat is that a
hitherto unused file format is now used as a vector. Big deal.