PaulDotCom mailing list archives
Re: How merge a backdoor in PDF file?
From: Todd Haverkos <infosec () haverkos com>
Date: Mon, 12 Sep 2011 14:57:42 -0500
Mohsen Mostafa Jokar <mohsenjokar () gmail com> writes:
Hello All.
I'm sure there are folks on this list who've forgotten more about file format vulns than I know, but hopefully this overview is useful to you Mohsen. These are good questions and the more people who know the answers, the better off we'll be!
How a hacker merge a backdoor in PDF file?
In concert with a relevant bug that allows for code execution in the PDF reader they're targeting, if the PDF gets opened by a vulnerable reader program, the attacker can generally run whatever code they want (including a back door). The link provided by another poster looked to have a very relevant title on these topics and how easily exploits and backdoor payloads can be put together inside an arbitrary PDF with a framework like Metasploit, Canvas, Core Impact, or the like. The Metasploit framework is a fairly convenient, mind bogglingly flexible and free way for attackers (both white hat and black hat) to do that, right along with the relevant code exec exploits. The exploits that are part of metasploit are generally ones for which the vendor has fixed the vulnerability, but that's not to say there are a large number of vulnerable instances of Acrobat Reader still installed on lots of computers in the world. It's also not uncommon for a vendor to fail to take a reported bug seriously enough to fix it until a metasploit module for the issue becomes available.
and how detect it?
That's not necessarily an easy thing to do. Antivirus evasion is not hard--in fact crimeware that's available for purchase is reported to have better support than most antivirus vendors have, and--should a given piece of crimeware get detected--the authors will cheerfully spin you a new version that they guarantee won't be detected. So in general, AV won't save you from infection, and at best, they _might_ detect something weeks later when and if the vendor gets a sample of the malware for analysis and writes a signature for it. There are an increasing number of various expensive defensive security tools devoted to this notion of "post-exploit detection" where the limits of preventive measures like anti-virus are acknowledged and focussing instead on the malware like behavior or callbacks and persistence are detected instead. Here, things like Damballa, Netwitness and FireEye are attempting to answer this "how to detect it" question better than mainstream endpoint tools can today. Indicators of compromise--such as DNS queries to known malware associated domains or botnet command and control-- are among the things these tools look at to detect compromised hosts.
a hacker can be put a virus in another file like jpg or...?
Yes. Just about any file format has been leveraged at some point. .zip, .doc, .ppt, .vsd, .png, .gif ... Attackers and researches will generally fuzz (i.e. throw random input at all available aspects of a file format) a target program (such as Adobe Reader, Adobe Flash Player, Java itself, Quicktime, Microsoft Office components) that parses those files looking for crash bugs, triage those and attempt to divine if the crash bug is exploitable for code execution, and iterate from there. In fact, on Tuesday, we'll see details of various Microsoft Office security issues, Adobe has promised fixes for Acrobat and Reader issues, and Apple has updated Qquicktime to fix some of these problems for some files it handles. And that's just in the past month. Google [fileformat] vulnerability CVE and you'll find a great deal of information. Or browser how many exploit modules are available and their titles for a feel for exploitable file format vulns are out there http://www.metasploit.com/modules/ The take away here would be to not think of any file format as intrinsically safe. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- How merge a backdoor in PDF file? Mohsen Mostafa Jokar (Sep 08)
- Re: How merge a backdoor in PDF file? xgermx (Sep 08)
- Re: How merge a backdoor in PDF file? Todd Haverkos (Sep 12)