Today the Pushdo botnet has begun spamming mails with attached PDFs that exploit the \Launch action feature to run an executable file. We first saw spammers using this feature two weeks ago, however this time attackers have figured out how to use the launch action to execute code without using JavaScript or an attached executable.
As with the previous attacks, the launch action is used to run the windows command interpreter (cmd.exe) and supplies it with a list of commands to run. This attack uses the ‘echo’ command to create a VB script file, named script.vbs, one line at a time. It then executes this file and then a second file named batscript.vbs.
Script.vbs opens the PDF as a text file, and searches for two positions in the file, identified by the characters ‘SS and ‘EE. Between these two positions is the code for another VB script which Script.vbs saves as batscript.vbs.
When batscript.vbs is run, it creates a file called game.exe which is the malicious payload and writes 35,328 bytes from an array into that file. The batscript.vbs file then runs game.exe, deletes game.exe, batscript.vbs and script.vbs.
As with last time, if a user opens the doc.pdf attachment in Adobe Reader, they will still be prompted to launch a file, however this time the spammers have figured out how to add their own text to the message box. Instead of seeing the file name to be run, the user will now see “Click the “open” button to view this document.".
In Foxit Reader, a similar message box will pop up but will display the file as cmd.exe. If the user clicks open the result is the same as with Adobe Reader and the user’s PC is quickly infected.
Compared to the campaign of two weeks ago, this campaign is much larger in scale, and users are more likely to come across it. Users of Adobe Reader can protect themselves by going into the Edit->Preferences menu, selecting “Trust Manager” and un-checking the “Allow opening of non-PDF file attachments with external applications” box.
Coming from the Pushdo botnet, this campaign is similar to their ongoing malicious campaigns, but with a different payload.Today the malicious PDF attachments sit alongside malicious EXE attachments with the same subject lines.The malicious PDF attachments represent merely another arrow in the attacker's quiver.
