Honeynet Project Forensic Challenge on Malicious PDF

Ahmad Azizan and i released a challenge for Honeynet Project Forensic Challenge on our favorite topic, malicious PDF called, "Analyzing Malicious Portable Destructive Files".  We implemented a few tricks on making analysis harder inside the PDF file such as JavaScript obfuscations, PDF /Root component, and PDF syntax obfuscation and many more. It will be interesting to see how people will get the wrong shellcode execution. >;). Good Luck and enjoy the challenge.  We are definitely having a lot of fun while working on the challenge.

Please check out the challenge from Honeynet Project Forensic Challenge 6 page here.

Here is the challenge description:

The Challenge:

PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is functionality that has been built into many exploit kits. As users are less cautious opening PDF files, the malicious PDF file has become quite a successful attack vector.

The network traffic captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which a unsuspecting user opens a compromised web page, which redirects the user's web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user's machine.

1. How many URL path(s) are involved in this incident? Please list down the URL path(s) found. (1pt)
2. What code can you find inside the PCAP file? Explain what the code does. (2pts)
3. What file(s) can you find within the PCAP file? If any files are found, please zip compress into password protected file (password infected) with file name: [your email]_Forensic Challenge 2010 – Challenge 6 – Extracted Files.zip and submit to http://www.honeynet.org/challenge2010/. (3pts)
4. How many object(s) are contained inside the PDF file? (1pt)
5. Using PDF dictionary and object referencing, explain in detail the flow structure of a PDF file. (1pt)
6. How many filtering schemes are used for the object streams and what are they? Explain how you can decompress the stream. (1pt)
7. Which object streams might contain malicious content? List the object and explain the obfuscation technique(s) used. (3pts)
8. What exploit(s) are contained inside the PDF file? Which one that actually runs and triggers the vulnerability(ies)? Please provide some explanation for your answer. (4pts)
9. Are there any payloads inside the PDF file? If any, list them all and explain what they do. Which payload will be executed? (2pts)
10. With the understanding of the PDF format structure, please explain how we can enable other exploits to run when the PDF file is opened. (2pts)

Bonus:

1. Please provide the dot graph of the PDF object’s connectivity inside the PDF file. (1pt)
2. Please provide an automated solution to extract and analyze JavaScript code within the PDF file. Be creative! (describe your solution below, but submit any source code and executable in a compressed zip file with file name [your email]_Forensic Challenge 2010 – Challenge 6 – Bonus2.zip via our submission formhttp://www.honeynet.org/challenge2010/.) (1pt)

To get it started, you need to start by inspecting a PCAP file. It can be downloaded from this page. 

Malicious PDF Technical Analysis Write Up

For the 2010, i spent a bit of my time on poking with malicious PDF analysis. I came up with a technical write up for the analyzing malicious pdf. The title for the write up is "Getting Owned by Malicious PDF". I split the write up into multiple samples sorting from easy-to-moderate of challenges and obstacle when dealing with malicious pdf analysis.

It starts with an introduction on PDF structures and components. The next section is on analyzing with vanilla pdf which only have a plain and flat PDF structure. This is a good introduction to familiar audience to PDF structure and also to expose on malicious pdf threat. On this sample, the analysis focus on understanding the PDF internal and extracting interesting components such as /Root object, javascript code and shellcode (within the javascript code).

The second sample involves with compressed PDF components by utilizing PDF feature, /Filter. /Filter will allow any PDF objects to be compressed using compression algorithms and decoding method such as zlib compression for /FlatDecode filter, ascii-to-hex for /ASCIIHexDecode filter. There are many methods can be implemented. Please read a good PDF Specification  format by Adobe.

For the details on samples 3, 4 please feel free to download and read the write up from SANS's web page here. 

LNK (Windows File Shortcut) Parser For CVE-2010-2568

lalal

CVE-2010-2568 will need to have a LNK file with a malicious dll to cause harm. Feeling the urgency of parsing the LNK file to trace any present dll, i modified a small portion of the code from metasploit’s project to make it run independently from the metasploit framework. The original code is here. The main purpose of the dumplinks.rb is for getting information for each of LNK files. The code is originally coded by davehull. Here is the output of the modified code:

[+]Processing: lalameta.lnk
[+]Found CLSID=00021401-0000-0000-C000-0000000000460
lalameta.lnk:
Access Time       = Tue Jul 27 17:16:06 +0800 2010
Creation Date     = Thu Jul 22 01:16:24 +0800 2010
Modification Time = Thu Jul 22 01:16:24 +0800 2010
Contents of lalameta.lnk:
Flags:
Attributes:
Target file's MAC Times stored in lnk file:
Creation Time     = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time       = Thu Jan 01 07:30:00 +0730 1970. (UTC)
ShowWnd value(s):
Target file's MAC Times stored in lnk file:
Creation Time     = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time       = Thu Jan 01 07:30:00 +0730 1970. (UTC)
[+]checking offset of 0x80 to find DLL from metasploit code generator
[+]:\\192.168.20.2\xyTxzY\CjmX.dll

The code in bold shows that the DLL that is  loaded in the LNK file. Below is the result from p0c provided by ivanlef0u.

[+]Processing: suckme.lnk_
129
suckme.lnk_:
Access Time       = Tue Jul 27 17:52:02 +0800 2010
Creation Date     = Mon Jul 19 10:32:26 +0800 2010
Modification Time = Sun Jul 18 00:37:30 +0800 2010
Contents of suckme.lnk_:
Flags:
Shell Item ID List exists.
Attributes:
Target file's MAC Times stored in lnk file:
Creation Time     = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time       = Thu Jan 01 07:30:00 +0730 1970. (UTC)
ShowWnd value(s):
SW_SHOW.
SW_NORMAL.
SW_SHOWMINNOACTIVE.
SW_SHOWMAXIMIZED.
SW_RESTORE.
Target file's MAC Times stored in lnk file:
Creation Time     = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time       = Thu Jan 01 07:30:00 +0730 1970. (UTC)
[+]checking offset of 0x80 to find DLL from metasploit code
[+]: :C:\dll.dllMises ? jour automatiquesCo

Hello Miami and Lets Talk on Portable Desctructive PDF.

I'll speaking at the 22th FIRST conference at Miami next week. The topic of my presentation is PDF: Portable Destructive File: Attacks And Analysis. I'll be sharing on dissecting malicious PDF and how we can perform an analysis on the malicious PDF file. Below is my abstract for the presentation.[http://conference.first.org/2010/Program/program.aspx]


Portable Destructive File (PDF) Attacks and Analysis

The increased prevalence of malicious Portable Document Format (PDF) files has generated interest in techniques to perform analysis on such document.We have observed a lot of attacks try to abuse the PDF vulnerabilities by hosting malicious pdf files on the Internet. The modus operandi involved in lurking people to open malicious PDF files by using social engineering attack. The emails were sent with a link to PDF file, by attaching the malicious PDF file directly to trap victim to open the files.

In this presentation we will share with you on how to analyze malicious PDF files which abusing JavaScript for exploitation and as well as using it as attacker payloads. What you will learn here will help you to analyze malicious PDF files on your own by using freely available tools.