Malicious emails make false claims of changed POP3/SMTP settings

Apr 28, 2010 08:46 GMT  ·  By

A new email-based social engineering attack employing the PDF /Launch technique to infect computers with malware has been spotted in the wild. The malicious messages trick users into opening rigged PDF files by claiming they contain the fresh POP3/SMTP connection settings.

At the end of last month, Didier Stevens, an IT security consultant and researcher based in Belgium, revealed a social engineering technique that he dubbed "escaping from PDF." The attack relies on abusing the "/launch" functionality as described in the PDF specification to trick users into allowing malware embedded in PDF files to run.

Even though Stevens did not publicly disclose the technical details of his approach, it wasn't long until cybercrooks figured it out and incorporated it in their malware distribution campaigns. In mid-April, security vendor Sophos reported seeing the first in-the-wild attack using this method.

The new attack is well-constructed and the rogue emails are made to appear as if they are coming from the mail server administrator. Their "From" field is spoofed to display a system@[your_email_domain] address.

Furthermore, the subject used is "setting for your mailbox is changed" and the contained message reads: "SMTP and POP3 servers for [your_email_address] mailbox are changed. Please carefully read the attached instructions before updating settings." The attached file is a PDF document rigged with malware and called doc.pdf.

When opening the file in Adobe Reader, the user is presented with a warning dialog asking the user for confirmation to open a file. However, the field normally displaying the name and location of the file has been altered to show a misleading instruction reading "Click the 'open' button to view this document."

According to Jeremy Conway, an independent security researcher, the most interesting aspect about this attack is that it doesn't rely on JavaScript. First, lines of VBScript code are echoed through cmd.exe and written to a file called script.vbs. The file contains instructions to parse the PDF and extract the data contained between two predefined delimiters, "SS" and "EE." This data is used to generate a new file named batscript.vbs.

The code in the new VBS reads hex bytes from an array and writes them one by one to yet another file called game.exe, which is then executed. The EXE is a Trojan downloader that until yesterday was only detected by 7 from the 40 antivirus engines on VirusTotal. Upon execution, game.exe creates a copy of itself as "c:\program files\microsoft common\svchost.exe" and modifies the registry to execute it together with explorer.exe.

"The bad news here is that this is only the first real attempt at utilizing the /Launch action to spread malicious code without JavaScript, and I hate to be the bearer of bad news but this won’t be the last or the most complex attempt. There are still lots of obfustication strategies that can be used to evade detection, and well even the PDF comments section isn’t required to embed the executable," said Mr. Conway. At the time of writing this article, the AV detection rate for the malicious doc.pdf is moderate, with some of the reputed antivirus products still missing it.

Adobe describes the /launch as a feature and does not plan to disable it by default in their products. However, the company has provided detailed instructions on how to turn off the functionality manually.

Photo Gallery (2 Images)

New attack levereging /Launch PDF trick
Copy of malicious email spreading rigged PDF
Open gallery