Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BadBIOS PDF files infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 badBiosVictim

badBiosVictim

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 23 April 2014 - 09:44 PM

Today, when I clicked on one of my numerous infected PDF files using someone else's windows computer, I was surprised Notepad opened it instead of Adobe Reader.

I use live Linux DVDs on my laptops. Booting to live PCLinuxOS FullMonty offline, I opened the PDF file with Kate. Kate displayed numerous wierd characters: dominoes with characters inside, characters with dots on top of them, asian characters and numerous white rectangles indicating white spaces. Kwrite used to warn about white spaces.

A search for malicious white spaces brought up SLQ injection and PHP injection.  My linux boxes are being hacked so I used a windows computer to copy and paste the contents of the Kate file into pastebin. Notepad could not display the white spaces.  http://pastebin.com/9LUCUbFV

This PDF file is graphical.  Evince Document Viewer did not offer the option to click on edit > select all > copy and then paste into a plain text file.

Two years ago, KlamAV and ExeFilter detected numerous unreadable PDF files. I converted my text based PDF files into plain text files. Evince Document Viewer offered option for text based PDF files to select all, copy and paste into plain text files. Then I deleted all the texted based PDF files.

I searched for a graphical format that was not prone to malicious code to convert my graphical PDF files. I could not find one. I don't know how to quarantine my graphical PDF files.



BC AdBot (Login to Remove)

 


#2 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 26 April 2014 - 10:48 AM

Could someone please use ExeFilter or live REMnux DVD to scan my PDF file? Where can I upload it to?

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 26 April 2014 - 01:54 PM

Submit your PDF to http://www.virustotal.com, report back the URL of the analysis here and I will have a look.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 26 April 2014 - 03:15 PM

Didier Stevens, thanks for offering to read a virustotal report of one of my PDF files.

Virustotal does not provide logs. Many free antivirus software do not provide logs. Logs are essential to ascertain whether the antivirus software was able to read the file. Unfortunately, antivirus software fail to report unread files as possibly infected files.

KlamAV, xfprot and Exefilter do provide a log of every file it attempts to read. The log states whether the file was read or not. As I explained in http://www.bleepingcomputer.com/forums/t/532198/badbios-infected-word-doc/, if antivirus software cannot read a file it is either:

(1) infected;
(2) encrypted by the user or encrypted by the malware creator; or
(3) corrupted

My files can be opened, so they are not corrupted. I don't use encrypted. The only cause of my files not being able to be read by antivirus software is infection.

Exefilter and the tools in live DVD of REMnux are the best for detecting malicious scripts in PDF, DOC, RTF and music files. Exefilter and the tools in live REMnux DVD are not used by Virustotal. I wish Virustotal would use them. Hence, I asked for someone to use them.

SANS Institute offers expensive classes on how to use the tools in REMnux. I don't have the prerequisites to take the class.

Do you know how or are you willing to learn how to use ExeFilter and REMnux?

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 26 April 2014 - 03:25 PM

Exefilter and the tools in live DVD of REMnux are the best for detecting malicious scripts in PDF, DOC, RTF and music files. Exefilter and the tools in live REMnux DVD are not used by Virustotal. I wish Virustotal would use them. Hence, I asked for someone to use them.

 

Quoted from http://zeltser.com/remnux/ :

 

 

Analyze malicious documents: Didier Steven's PDF tools, ... (sic)


Edited by Didier Stevens, 26 April 2014 - 03:26 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 badBiosVictim

badBiosVictim
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 26 April 2014 - 03:25 PM

Didier Stevens, I just read at http://44con.com/training/2014/hacking-pdf.html

that you "developed several tools to help with the analysis of malicious PDF documents." Congratulations!

Are the forensic PDF tools you developed used by Virustotal? If not, where is a description of your tools and how can they be purchased? Or do people have to take your class? Your class sounds very interesting.

If your tools are not used by virustotal, I would prefer to upload my PDF file on bleepingcomputer's website or some other website so you could use the tools you created.
Thanks.

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 26 April 2014 - 03:29 PM

PDFiD runs on VirusTotal:

 

https://www.virustotal.com/en/about/credits/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:01:03 PM

Posted 26 April 2014 - 03:31 PM

Are the forensic PDF tools you developed used by Virustotal? If not, where is a description of your tools and how can they be purchased? Or do people have to take your class? Your class sounds very interesting.

 

Yes, PDFiD runs on VirusTotal: https://www.virustotal.com/en/about/credits/

 

My tools are free: http://blog.didierstevens.com/programs/pdf-tools/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:03 AM

Posted 26 April 2014 - 05:58 PM

You already have a topic open on this issue located here: http://www.bleepingcomputer.com/forums/t/532198/badbios-infected-word-doc/

To prevent confusion we do not permit multiple issues on the same issue to run concurrently. As such, this topic is now closed. Please direct any further replies regarding this issue to the topic linked above.

~Blade
Forum Administrator

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users