Rerunning samples

We'll be rerunning our entire sample database over the next few days to collect more information on embedded EXE's for a upcoming enhancement to the search page, there might be some extra long processing times for new samples (don't worry we'll still prioritize new samples to run before old ones), and some existing samples will show as queued/running temporarily.

Behind the scenes we've developed 6 different cryptanalysis techniques for detecting embedded executables, we'll be testing all the methods to determine the most effective and efficient one(s). You may have noticed some clean samples taking a while to run, we've been sequentially exhaustively searching with various techniques to locate embedded executables, a key indicator for a malicious document.

Worst Social Engineering Ever

From a recent submission via the email intake - hereyougo at vicheck.ca:

With a subject line of a invitation to a Tibetan event, invitation.rar (3026984137716828cf8f55b10bb0069) contained the aptly named "exploit.pdf" which certainly inspires confidence to open the attachment:

exploit.pdf:
EXECUTABLE SCAN: PDF Exploit Embedded Flash may be CVE-2010-1297 (genexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=ee81327f15db183f83815754fbfad5dd
Exploit method detected as genexploit - PDF Exploit Embedded Flash may be CVE-2010-1297.
Confidence ranking: 100 (11 hits).

Embedded EXE is encrypted with a 256 byte key as well as a simple replacement cipher.

Drops:

c:\a.exe 23876a91a7510e5c39e39670f5b9343d	72560 bytes
c:\a.pdf 36710aef65cf5b4ccae81b2842821dbd	1243 bytes
C:\[WINDOWS]\system32\srvlic.dll e94e4e5023c51a7a37a02a3db5802944	20480 bytes
C:\[WINDOWS]\fxsst.dll da0ce7a6c134d45e63c61c301ba13c25	40960 bytes

New hash search page

The hash search report has been streamlined and the beta version phased out, now some of the more verbose reporting is hidden and can be shown with a click beside it's heading. Shellcode dissassembly (which now includes some basic automatic unpacking) and hexdump images are hidden by default. More info on the embedded exe coming soon. A future version will probably be a static page to speed up the loading.

Submit web url, comments

Trying out a couple of newly written features - submit a document/pdf/zip from a web link (which is handy to see what's in those emailed links) try it here. Also added a comments box to each MD5 report page to perhaps drive some collaborative analysis. Migrated the forms throughout to HTML5 to take advantage of some of the new browser features.

APT Malware Trends

Some history on the most common Adobe PDF and MS Office exploits and the timeline of their detection on ViCheck.ca:


CVE-2006-2492 MS Word
July 2009 - Current

CVE-2009-0927 PDF Collab.getIcon
July 2009 - Current

CVE-2007-5659 PDF Collab.collectEmailInfo
September 2009 - Current

CVE-2009-3957 PDF Colors
September 2009 - February 2010

CVE-2008-2992 PDF util.printd
December 2009 - Current

CVE-2009-3954 PDF 3D
December 2009 - May 2010

CVE-2009-3953 CVE-2009-3959 PDF U3D
December 2009 - May 2010

CVE-2009-4324 PDF media.newPlayer
December 2009 - Current

CVE-2008-2992 PDF util.printd
December 2009 - Current

CVE-2010-0188 PDF TIFF
March 2010 - Current

CVE-2009-3129 MS Office
June 2010 - Current

CVE-2010-1297 PDF+Flash
June 2010 - Current

View detection hits as hexdump on ViCheck.ca

For recently analyzed reports, we've added a Beta Analysis Report linked to from the regular report page, you can view hex humps of the exploits or embedded executables:

Detect JavaScript exploits in PDF, or embedded executables in MS Office exploits in .doc, xls, ppt files on ViCheck.ca.

More fun with PDF Obfuscation

Another interesting way to hide a block of JavaScript inside a PDF, info.Trailer:

exmu='dmw';if(app.alert)exmu='';WmMw=this;zisc=WmMw.info;exmu=exmu+unescape('%')+exmu;y1vw=zisc.Trailer.replace(/([A-Z])/g,exmu);app.setTimeOut(unescape(y1vw),3)