[sklyarov-chicago] Fw: Adobe PDF files can be used as virus carriers

Michael J. Cannon mcannon@ubiquicomm.com
Tue, 7 Aug 2001 14:42:22 -0500 

Just a little ditty from the aris security lists.  Interesting take on the
DMCA, and the ability to embed VBScript in .pdf files.  Be aware that this
has not been confirmed yet.

You might want to forward to other interested lists.  I'm handling the
[freesklyarov.org] with this FWD.

Michael J. Cnanon
mailto:mcannon@ubiquicomm.com
++++++++++++++++++++++++++++++++++++++++
Got Patch?  Get it!  STOP Code Red!
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/topics/codeptch.asp
+++++++++++++++++++++++++++++++++++++++++++++++++++
Free Dmitry Sklyarov!  If only outlaws can hack and
publish, then we will NEVER catch all the outlaws!
http://www.freesklyarov.org
+++++++++++++++++++++++++++++++++++++++++++++++++++
----- Original Message -----
From: "Richard M. Smith" <rms@privacyfoundation.org>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, August 07, 2001 10:44 AM
Subject: Adobe PDF files can be used as virus carriers


> Hello,
>
> This is an interesting development.  Zulu, a virus writer from South
> America, appears to have discovered that Adobe PDF files can be used to
> carry computer viruses.  The attached description gives the details.
> His little trick uses a PDF file to bypass the new security feature of
> Outlook which automatically deletes dangerous file attachments.  With
> this security feature, all VBScript attachments are deleted because they
> might be computer viruses.  However with Zulu's trick, a malicious
> VBScript file can instead be hidden inside a PDF file which Outlook
> considers safe.
>
> I don't believe that the anti security research and reverse engineering
> provisions of the DCMA apply here, but given Adobe's recent action
> against Dmitry Sklyarov, I recommend a bit of caution by anyone looking
> into this potential security problem in Adobe Acrobat Reader.  A
> conversation with a lawyer might be prudent.
>
> Another interesting question is if Adobe formatted eBooks can also act
> as computer virus carriers.
>
> Richard M. Smith
> CTO, Privacy Foundation
> http://www.privacyfoundation.org
>
> ====================================================================
>
> http://www.coderz.net/zulu/outlook.pdfworm.txt
>
> Virus Name: OUTLOOK.PDFWorm
> Author: Zulu
> Origin: Argentina
>
> VBScript worm. It uses OUTLOOK to send itself in a PDF (portable
> document format) file (first
> using this file type).
> When opened using Acrobat it will show an image with a minor game.
> Showing the solution to this
> game involves doing a double click to a file annotation, which after a
> warning will run a VBS,
> VBE or WSF file (depending of the worm version).
> The VBScript file will create and show a JPG file with the solution to
> the game and it will try
> to find the PDF file to spread it. This is necessary because when the
> link is used, Acrobat
> will create the VBS, VBE or WSF file in Windows' temporary directory and
> it will run this file,
> so this VBScript file doesn't know the path of the PDF file to spread.
> Then it will start the spreading code using a way of using OUTLOOK not
> seen before in any
> worm (spreading details can be found in the features section of this
> file).
> The password for changing the security options of the PDF file is
> "OUTLOOK.PDFWorm".
> This worm is designed to be a proof of concept, it has bad spreading
> capabilities, only the
> necessary to be called a worm. Also, because file annotations are only
> available in the full
> version of Acrobat, this worm will not run in Acrobat Reader.
>
> Features:
>
> - Uses the PDF extension, not seen before in any virus/worm.
> - OUTLOOK spreading using new code, not the classic Melissa's code and
> it's variations like the
>   one from Freelink.
>   This new method will get addresses from the recipients of all emails
> in any OUTLOOK folder
>   and from all address book entries (but taking the first three
> addresses of each contact, not
>   just the first like most OUTLOOK worms).
>   This new method is based in the possibility of reaching contacts from
> OUTLOOK folders instead
>   of using the objects designed to read address books. So the code will
> look inside all OUTLOOK
>   folders, and if the items inside them are emails or contacts, it will
> get those addresses.
>   Subject, body and attachment name will be selected from some random
> choices. Also, it will
>   limit the amount of emails to 100.
>   It will be run only once in each computer since it uses the registry
> to check if it was
>   already run.
> - Good social engineering. I even think that this PDF file would be
> manually sent by many of
>   those users that are never tired of sending stupid jokes. :)
> - To find the PDF file, if Word is installed it will use it to do the
> search, if Word is not
>   installed, it will search for the file using VBScript code looking in
> many common paths and
>   all subdirectories of those paths. Both methods will look for PDF
> files with their size
>   similar to the original worm copy.
> - Uses script encoding (in version 1.1 and 1.2).
> - The VBScript file shows a JPG file when run, so it will show what the
> user expects.
>
> Background information:
>
> I was starting another project, much bigger and with good spreading
> capabilities. But that was
> very delayed because of time problems, so I decided to try with PDF
> files first and then
> continue with the other worm when I have time.
> I saw four possibilities:
>
> - Using JavaScript with "mailMsg" method.
>   It would only work in the full version of Acrobat.
>   By using the "mailMsg" method (which uses MAPI) I could send an email
> message when the
>   document is opened (page open action).
>   But the problem was that I was not able of getting email addresses to
> send the message to.
> - Using the Acrobat menu.
>   It would only work in the full version of Acrobat.
>   I could use the "Send Mail..." menu option, calling it when the
> document is opened (page open
>   action). That would open a window from the default email client with
> the attachment already
>   added.
>   Here the problem was how to send the necessary keys to send the
> message that was already
>   opened in that window.
> - Using open file action.
>   It would work in Acrobat and in Acrobat Reader. It displays a warning.
>   By creating an open file action when the document is opened I could
> run any file with any
>   code inside it.
>   But the problem was that I had no file to run. This method could work
> for a trojan that runs
>   "FORMAT.COM", but not for a worm.
> - Using a file annotation.
>   It would only work in the full version of Acrobat. It displays a
> warning.
>   Creating a file annotation with my file embedded inside the PDF file I
> could run my code.
>   Acrobat would create the embedded file in the temporary directory and
> it would run the file
>   from there.
>   This has two problems. One was knowing the path of the PDF file, this
> was solved by searching
>   the file in the hard disk since looking in the task name would only
> give the file name, not
>   the full path. The other problem is that it's not possible to open a
> file annotation
>   automatically when the PDF file is opened since there is no action to
> do that and it seems
>   that there is no way of getting the file using JavaScript code, so it
> was necessary that the
>   user manually double clicked the file annotation. This last problem
> was not solved.
>
>
>