Fake AV c/o PDF and Java exploits

We see fake AV malware being distributed in a variety of ways, including SEO abuse [2], compromised web sites [4, 5]. In this post I will highlight an attack that is currently active involving malicious PDF and Java content, attempting to exploit client side vulnerabilities.

Web pages containing malicious applet and JavaScript contents are being used to initiate the attack (blocked as JS/PDFLd-D by Sophos products). The JavaScript typically enumerates the browser plug-ins to confirm Adobe Acrobat/Reader is installed. If it is, then a malicious PDF is dynamically loaded. These PDFs are being pro-actively blocked as Troj/PDFJs-GA by Sophos products.

The PDF contains JavaScript (heavily obfuscated) which attempts to exploit several Adobe vulnerabilities:

• collectEmailInfo: CVE-2007-5659
• util.printf: CVE-2008-2992
• getIcon: CVE-2009-0927
• util.printd: CVE-2009-4324

The applet is used to load a JAR file (blocked as Troj/Java-B) which contains malicious class files that attempt to exploit an old privilege escalation vulnerability in the handling ZoneInfo objects during deserialization (CVE-2008-5353).

If either the PDF or Java exploit is successful, the payload is downloaded from the same site and run. This component is an installer/downloader for Internet Security 2010, and is detected as Mal/EncPk-NI. When the installer is run, it performs a series of actions:

• copies itself to %sysdir%\smss32.exe and %sysdir%\winlogon32.exe
• adds Registry keys to hook system startup
• drops %sysdir%\warning.html (pro-actively detected as Mal/FakeAvHm-A), and configures the desktop to load it as an ActiveDesktop background



• adds sites to Internet Explorer’s trusted site list (these sites have all been blacklisted for Sophos web appliance customers for several days now)



• downloads and runs Internet Security 2010 (blocked as Mal/FakeAV-BW) from a remote site

You could say such actions are suspicious! Indeed various runtime protection rules are triggered:

• HIPS/FileMod-001
• HIPS/FileMod-004
• HIPS/FileMod-006
• HIPS/IPConnect-001
• HIPS/ProcMod-002
• HIPS/ProcMod-004
• HIPS/ProcMod-007
• HIPS/RegMod-001
• HIPS/RegMod-002
• HIPS/RegMod-009
• HIPS/RegMod-014

This attack provides a good example of how all the modern security technologies fit together. It is the combination of technologies such as URL filtering, patch management, pro-active detections and runtime protection rules that help to thwart such attacks.