COMMAND

    PDF files

SYSTEMS AFFECTED

    PDF files

PROBLEM

    Zulu,  a  virus  writer  from  South  America,  appears  to   have
    discovered that  Adobe PDF  files can  be used  to carry  computer
    viruses.  The attached description gives the details.  His  little
    trick  uses  a  PDF  file  to  bypass  the new security feature of
    Outlook which  automatically deletes  dangerous file  attachments.
    With this security feature,  all VBScript attachments are  deleted
    because  they  might  be  computer  viruses.   However with Zulu's
    trick, a malicious  VBScript file can  instead be hidden  inside a
    PDF file which Outlook considers safe.

    We  don't  believe  that  the  anti  security research and reverse
    engineering provisions of the  DCMA apply here, but  given Adobe's
    recent  action  against  Dmitry  Sklyarov,  we  recommend a bit of
    caution by anyone looking into this potential security problem  in
    Adobe  Acrobat  Reader.   A  conversation  with  a lawyer might be
    prudent.   Another  interesting  question  is  if  Adobe formatted
    eBooks can also act as computer virus carriers.

    VBScript worm.  It uses OUTLOOK to send itself in a PDF  (portable
    document format) file (first using  this file type).  When  opened
    using Acrobat it will  show an image with  a minor game.   Showing
    the solution to this game involves doing a double click to a  file
    annotation, which after a warning will run a VBS, VBE or WSF  file
    (depending of the  worm version).   The VBScript file  will create
    and show a JPG file with the solution to the game and it will  try
    to find  the PDF  file to  spread it.   This is  necessary because
    when the link  is used, Acrobat  will create the  VBS, VBE or  WSF
    file in Windows'  temporary directory and  it will run  this file,
    so this VBScript  file doesn't know  the path of  the PDF file  to
    spread.   Then it  will start  the spreading  code using  a way of
    using OUTLOOK not seen before  in any worm (spreading details  can
    be found in the features section of this file).

    The password for changing the security options of the PDF file  is
    "OUTLOOK.PDFWorm".   This  worm  is  designed  to  be  a  proof of
    concept, it has bad spreading capabilities, only the necessary  to
    be  called  a  worm.  Also,  because  file  annotations  are  only
    available in the full version  of Acrobat, this worm will  not run
    in Acrobat Reader.

    Features:
    - Uses the PDF extension, not seen before in any virus/worm.
    - OUTLOOK  spreading  using  new  code, not the classic  Melissa's
      code and it's variations like  the one from Freelink.   This new
      method will get addresses from  the recipients of all emails  in
      any  OUTLOOK  folder  and  from  all  address  book entries (but
      taking the first three addresses  of each contact, not just  the
      first like  most OUTLOOK  worms).   This new  method is based in
      the  possibility  of  reaching  contacts  from  OUTLOOK  folders
      instead of  using the  objects designed  to read  address books.
      So the  code will  look inside  all OUTLOOK  folders, and if the
      items inside  them are  emails or  contacts, it  will get  those
      addresses.  Subject, body  and attachment name will  be selected
      from some  random choices.   Also, it  will limit  the amount of
      emails to 100.  It will be run only once in each computer  since
      it uses the registry to check if it was already run.
    - Good social engineering. We even think that this PDF file  would
      be manually sent by many of those users that are never tired  of
      sending stupid jokes.
    - To find the PDF file, if Word is installed it will use it to  do
      the search,  if Word  is not  installed, it  will search for the
      file using VBScript  code looking in  many common paths  and all
      subdirectories of those paths.   Both methods will look for  PDF
      files with their size similar to the original worm copy.
    - Uses script encoding (in version 1.1 and 1.2).
    - The VBScript  file shows a  JPG file when  run, so it  will show
      what the user expects.

    Zulu  was  starting  another  project,  much  bigger and with good
    spreading  capabilities.   But  that  was  very delayed because of
    time problems, so he decided to try with PDF files first and  then
    continue  with  the  other  worm  when  he  has time.  He saw four
    possibilities:

    - Using JavaScript with "mailMsg" method.
      It would only  work in the  full version of  Acrobat.  By  using
      the "mailMsg"  method (which  uses MAPI)  I could  send an email
      message when  the document  is opened  (page open  action).  But
      the problem was that he was not able of getting email  addresses
      to send the message to.

    - Using the Acrobat menu.
      It would only  work in the  full version of  Acrobat.  He  could
      use the "Send Mail..." menu option, calling it when the document
      is opened (page open action).  That would open a window from the
      default email client  with the attachment  already added.   Here
      the  problem  was  how  to  send  the necessary keys to send the
      message that was already opened in that window.

    - Using open file action.
      It would work in Acrobat and  in Acrobat Reader.  It displays  a
      warning.  By creating an  open file action when the  document is
      opened he could run any file  with any code inside it.   But the
      problem was that he had no file to run.  This method could  work
      for a trojan that runs "FORMAT.COM", but not for a worm.

    - Using a file annotation.
      It would only work in the full version of Acrobat.  It  displays
      a warning.   Creating a  file annotation  with my  file embedded
      inside the PDF file he could run his code.  Acrobat would create
      the embedded file  in the temporary  directory and it  would run
      the file from there.

      This  has  two  problems.  One  was  knowing the path of the PDF
      file, this  was solved  by searching  the file  in the hard disk
      since looking in  the task name  would only give  the file name,
      not the full path.  The other problem is that it's not  possible
      to open  a file  annotation automatically  when the  PDF file is
      opened since there  is no action  to do that  and it seems  that
      there is no  way of getting  the file using  JavaScript code, so
      it was necessary that the user manually double clicked the  file
      annotation.  This last problem was not solved.

SOLUTION

    This should not be that surprising - the recent joint announcement
    by  NAI/McAfee  and  Adobe  that  the  former  was researching the
    ability  to  scan  PDF  files  should  have  raised a few people's
    suspicions...  It turns out that Adobe has decided that PDF  files
    should not jsut  be "document files"  (i.e. "data") but  should be
    able to  support embedding  of other  types of  file objects.   We
    believe the  mechanism Adobe  chose to  support this  is OLE, thus
    turning PDF  files into  something loosely  akin to  Windows Shell
    Scrap (SHS) files.

    Not  only  does  the  current  rev  of the Outlook Security Update
    consider PDF files "safe" but most users will too, as historically
    PDF files have been "pure document files".  It is interesting that
    Adobe has apaprently not learnt anything from the history of  such
    developments -- the  least it could  have done were  it a security
    sensitive developer with the faintest glimmer of understanding  of
    the history  of such  things would  have been  to make  the reader
    software  require  different  formats  for (potentially dangerous)
    "documents" (those  that contain  embedded objects)  and the  pure
    ("old") PDF  format.   This way  content management  is made  much
    easier and intelligent users  would simply block the  "new" format
    so as  to not  ahve to  worry about  the increased risk associated
    with it.

    And, of course, therein the reason Adobe would not do this --  why
    add a threat-increasing option to your product if you then make it
    entirely optional whether the threat  could be leveraged??  It  is
    an  interesting  reflection  on  the  thinking  of  Adobe  that it
    approached  antivirus  developers  to  have  them  add handling of
    their  new  file  formats  rather  than  attempt to ameliorate the
    threat escalation they were  deliberately, and clearly (from  that
    very action) knowingly, introducing with this change...

    Is encryption really the problem as far as viruses are  concerned?
    Decryption requires  manual intervention  by the  user, and  after
    that the problem is the same as before: applications that  execute
    stuff automatically by default, or make it easy to circumvent  any
    safeguards  the  user  may  have  set.   The  new threat is that a
    hitherto unused file format is now used as a vector.  Big deal.