Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious PDFs automatically downloaded -- Exploit.PDF-JS.Gen (v)


  • Please log in to reply
4 replies to this topic

#1 AllTheTime

AllTheTime

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 29 December 2010 - 08:28 PM

I have a problem somewhat similar to the one described here:

http://www.bleepingcomputer.com/forums/topic366998.html


My actual questions are in the list at the bottom. Before that is the description of what has happened so far.

I have a Windows XP Home SP3 system. Yesterday I installed and updated a variety of software: updated Firefox to 3.6.13, updated Firebug, updated Opera to 11.00, installed Chromium, installed Safari, installed Microsoft SyncToy, uninstalled SyncBack (sucked).

Today, using Opera, I did a google search related to the use of background images with the updated Twitter UI. From the search results I opened 4 pages, on 4 different sites, in background tabs. I opened all 4 pages in pretty quick succession, and within seconds of doing that, maybe while I was still in the process of opening the 4, I saw Acrobat launching and a PDF with a bunch of nonsense text opened. The kind of text that is included in spam emails, I guess to try to confuse spam filters.

The PDF opened in Acrobat 7.1.0 Professional. I didn't know of any reason why a PDF should be opening at all, and the content of the PDF immediately put me on edge. I found 2 PDF files in C:\Documents and Settings\{user}\Local Settings\Application Data\Opera\Opera\temporary_downloads : 1132.PDF, 7758.PDF.

I uploaded the files to several online virus scanners including Virustotal, Jotti, avast, and Kaspersky. The only sign of any trouble was Virustotal saying that VIPRE (1 of 42) reported "Exploit.PDF-JS.Gen (v)" on one (and not the other) of the files. I wasn't able to find much information about that exploit.

Virustotal and Jotti said the files had already been analyzed and said the date first seen was earlier the same day, 2010-12-29. Here are the md5's:

580b03c00c50a8254376e31b1506161c
6aeae67d4d1784be91d462c637862b50

I did scans with MalwareBytes and Spybot that turned up nothing.

I did a scan with the ESET Online Scanner, which said it found 42 files infected with "HTML/Fraud.AV trojan" in the C:\Documents and Settings\{user}\Local Settings\Temporary Internet Files\Content.IE5 folder. I couldn't find any information about that exploit. As far as I know that folder is only used by IE, which I hardly ever use.

I then did a scan with VIPRE Rescue and that detected "Exploit.PDF-JS.Gen (v)" in a copy I'd made of the suspect PDFs (I think the originals were deleted from the Opera temp downloads folder when I closed Opera). It also detected "Trojan.Win32.Generic!BT" in a file I must have downloaded a long time ago called SDFix.exe.

I don't know what to make of this, I'm pretty mystified.

  • How did these PDFs get on my computer? Did Opera allow a drive-by download from one of those 4 sites I opened? It is suspicious timing that I just installed a bunch of software yesterday, but things seem to point to Opera allowing these files onto my computer in connection with opening those 4 pages.
  • From what I can gather, if the PDFs contained an infection, it was targeted at exploiting Acrobat or Reader. How can I tell if the PDFs compromised my computer? I wasn't able to find much info about the reported exploit, like what the effects would be, or what versions of Acrobat would be vulnerable.
  • If those PDFs contained malware, why did only VIPRE detect it out of MalwareBytes, Spybot, and the dozens of other virus scanners included in Virustotal and Jotti?
  • Is it a false positive?
  • If it's a false positive, where did the files come from and what is their purpose?
  • How do I tell if I have an infection now? Are the scans that I've already done sufficient to show that my system is clean? The only thing that seems to make any sense is that Opera let the PDFs onto my computer, but they're either duds or they weren't able to exploit my installation of Acrobat (maybe they're targeted specifically at Reader?) -- unless it caused a really stealthy infection that none of the scanners detected. In any case, I don't get why only VIPRE reported an infection in the PDFs.


BC AdBot (Login to Remove)

 


#2 ThunderZ

ThunderZ

  • Deactivated
  • 4,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 PM

Posted 29 December 2010 - 08:48 PM

Regarding the .pdf downloads. It sounds like the links were direct download links. Not links to web pages. Did you ever view the actual pages in the background tab(s)?

As far as the malware, possibly a FP if only one out of 42 reported it as a virus.

Will leave further trouble shooting\scanning up to a Malware Team Member.

#3 AllTheTime

AllTheTime
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 30 December 2010 - 07:55 AM

Thanks for your reply. Yes, I viewed them, they were web pages. So no, they weren't direct download links. I actually often purposely avoid clicking links to PDFs from search results because I know there are security issues. Google points out when a result is a PDF, and I often use the Quick View link to see the content in HTML instead. I could post the links to the 4 web pages here, I just don't want to set anyone up to unwittingly click on them and run into a problem.

#4 AllTheTime

AllTheTime
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 05 January 2011 - 08:12 PM

Can anyone offer any insight on this?

#5 Yousaif

Yousaif

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 03 March 2011 - 03:04 PM

There is a large wave of malicious PDF files out there lately that are exploiting holes in Adobe Reader.

The reference to the exploit is CVE-2010-0188.

Make sure that you have the newest version of PDF Reader (9.4.2 current or 10.1) or an alternate reader like Fox-It.

Another thing you can do to prevent it is to disable JavaScripting in Adobe Reader.

The files are usually very small, about 16 KB in size or so, and often have text in them that is from Dante's Inferno, though you can only see one line of it that streams off the edge of the page.

EDIT: forgot to mention that you can upload files of this type to Wepawet's site and it will scan them in a sandbox. Usually they show results as being malicious, though I haven't seen Wepawet pull the script cleanly. It's pretty tough to pull the script as it stands now, as it uses interesting obfuscation.

Edited by Yousaif, 03 March 2011 - 03:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users