Re: How merge a backdoor in PDF file?

[Todd Haverkos <infosec () haverkos com>]

Mohsen Mostafa Jokar <mohsenjokar () gmail com> writes:
> Hello All.

I'm sure there are folks on this list who've forgotten more about file
format vulns than I know, but hopefully this overview is useful to you
Mohsen.  These are good questions and the more people who know the
answers, the better off we'll be! 

> How a hacker merge a backdoor in PDF file? 

In concert with a relevant bug that allows for code execution in the
PDF reader they're targeting, if the PDF gets opened by a vulnerable
reader program, the attacker can generally run whatever code they want
(including a back door).

The link provided by another poster looked to have a very relevant
title on these topics and how easily exploits and backdoor payloads
can be put together inside an arbitrary PDF with a framework like
Metasploit, Canvas, Core Impact, or the like. 

The Metasploit framework is a fairly convenient, mind bogglingly
flexible and free way for attackers (both white hat and black hat) to
do that, right along with the relevant code exec exploits.  The
exploits that are part of metasploit are generally ones for which the
vendor has fixed the vulnerability, but that's not to say there are a
large number of vulnerable instances of Acrobat Reader still installed
on lots of computers in the world.  It's also not uncommon for a
vendor to fail to take a reported bug seriously enough to fix it until
a metasploit module for the issue becomes available.

> and how detect it?

That's not necessarily an easy thing to do.  Antivirus evasion is not
hard--in fact crimeware that's available for purchase is reported to
have better support than most antivirus vendors have, and--should a
given piece of crimeware get detected--the authors will cheerfully
spin you a new version that they guarantee won't be detected.  So in
general, AV won't save you from infection, and at best, they _might_
detect something weeks later when and if the vendor gets a sample of
the malware for analysis and writes a signature for it. 

There are an increasing number of various expensive defensive security
tools devoted to this notion of "post-exploit detection" where the
limits of preventive measures like anti-virus are acknowledged and
focussing instead on the malware like behavior or callbacks and
persistence are detected instead.  Here, things like Damballa,
Netwitness and FireEye are attempting to answer this "how to detect
it" question better than mainstream endpoint tools can today.
Indicators of compromise--such as DNS queries to known malware
associated domains or botnet command and control-- are among the
things these tools look at to detect compromised hosts.

> a hacker can be put a virus in another file like jpg or...?

Yes.  Just about any file format has been leveraged at some point.
.zip, .doc, .ppt, .vsd, .png, .gif ... 

Attackers and researches will generally fuzz (i.e. throw random input
at all available aspects of a file format) a target program (such as
Adobe Reader, Adobe Flash Player, Java itself, Quicktime, Microsoft
Office components) that parses those files looking for crash bugs,
triage those and attempt to divine if the crash bug is exploitable for
code execution, and iterate from there.  In fact, on Tuesday, we'll
see details of various Microsoft Office security issues, Adobe has
promised fixes for Acrobat and Reader issues, and Apple has updated
Qquicktime to fix some of these problems for some files it handles.
And that's just in the past month.  

Google [fileformat] vulnerability CVE and you'll find a great deal of
information.  Or browser how many exploit modules are available and
their titles for a feel for exploitable file format vulns are out
there http://www.metasploit.com/modules/

The take away here would be to not think of any file format as
intrinsically safe.


Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com