today i discovered a mail at my client from domain v-kamen.ru with ip 18.104.22.168 (St Petersburg, Russia… but who knows who controls this server/computer? maybe the Russians maybe the Chinese maybe the Americans… we don’t know and no fast finger pointing here please)
which did not contain a lot of text, just a wvMwB.pdf
you can have the original file here: pwd for encrypted.rar is: evil
sha512sum is: 5f2e55464a2af6fcb5e59ac8eb068b869118b4e2ead62247ed9c7358497bf38bfb5da452df50cb880b38e7773aea406cd6eb36bd7f07f67fa5e1f6a1ef75eebe
this time i was lucky, the virus scanner detected evil in the PDF before it could trigger / cause any problems.
also it is a virtual machine that i just took a powered down snapshot off, so i can reset to this state.
it just shows…. if vendors implement too much features (that probably 99% of all users never use) they increase the attack surface for hackers and put everyone at risk that uses their products.
SaneSecurity names this virus: Sanesecurity.Malware.27643.PDFHeur.IP.UNOFFICIAL
which means it’s heuristic detected something bad… but there is no signature? GREAT.
This will happen more often in the future, because virus-spammers will just generate an „unique“ virus for every mail they send.
Simply relying on AntiVirus IS NOT ENOUGH ANYMORE (since about 10 years).
is PDF a save format/a format you can (still) trust?
can you trust PDF files?
well… i guess nothing is 100% save.
but PDFs are „generally“ more trusted than any other attachments and a lot of people use it as a default format to exchange documents – because – unlike word-stupid.doc(x) and excel.xls(x) they can not contain makros.
But what else can they contain? Can evil code/runnable binaries be embedded into PDF?
PDFs SHOULD consist of xml-style text and pictures.
that might be a mistake, because Adobe allows to include other formats / files to be included into their PDFs. (BIG MISTAKE!)
„The Portable Document Format (PDF) (redundantly: PDF format) is a file format developed by Adobe in the 1990s to present documents, including text formatting and images, in a manner independent of application software, hardware, and operating systems. Based on the PostScript language, each PDF file encapsulates a complete description of a fixed-layout flat document, including the text, fonts, vector graphics, raster images and other information needed to display it. PDF was standardized as an open format, ISO 32000, in 2008, and no longer requires any royalties for its implementation.
Today, PDF files may contain a variety of content besides flat text and graphics including logical structuring elements, interactive elements such as annotations and form-fields, layers, rich media (including video content) and three dimensional objects using U3D or PRC, and various other data formats.“
What besides udpates that nobody installs on time – does Adobe do to mitigate the threat?
Adobe is a respected company – and i loved the AS 3.0 Flex Builder (not the later versions) BUT Shockwave Flash Browser plugin (almost like Java Virtual Machine) introduces a lot of security problems to your system to the point that you simply CAN NOT trust Flash.swf files from any source – basically making it necessary to while-list your internet access to the only trusted IPs. (and if those get hacked you are screwed)
WHY ON EARTH WOULD A PRINTER (PostScript PDF was designed for PRINTERS!) WOULD WANT TO START AN EXTERNAL APPLICATIONS?
SERIOUSLY? (unless it is a corrupt and evil one… or it has developed AI of it’s own and gone rogue)
NO SERIOUSLY ADOBE WITH ALLOWING SUCH NON SENSE YOU PUT THE WHOLE WORLD THAT USES YOUR FORMATS AT RISK!
MORE SECURITY PLEASE!
complete mail source:
Return-path: <SRS0=wJveLSrJ=QFfirstname.lastname@example.org> Envelope-to: email@example.com Delivery-date: Tue, 29 Jan 2019 02:40:37 +0100 Received: from [22.214.171.124] (helo=v-kamen.ru) by www314.your-server.de (envelope-from <firstname.lastname@example.org>) id 1goIO7-0001t7-RT for email@example.com; Tue, 29 Jan 2019 02:40:37 +0100 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; d=v-kamen.ru; h=Message-ID:From:To:Subject:Date:MIME-Version:Content-Type; bh=IOMPXUQiGPg8SauCb5SSycecNQY=; b=uJ/MdgtWVD3uikR+x+04KD2eDlvVyem12xJSVeATUvpTXQQa7vKga2i8JA8LxhI7Po6LaB/BjYqU MTBvAiBFE7jYHPQa6CgKpS08PWXv9fOkcKpBuRXFi4Rs9pXq2AN4kDjy6UDzV5JKS7uwH7arMDRd GwgSsGA7PVOlMKTDYwsjmxRYIZdzo6HzHIs4nqttrOVxRLcUxnyrnVKPxzR/Ava44zccwuJthJqp rVFZ/ng0Q6a1iH6K6Rj7Djzx6Y3yv46sWnxhEh2wiHOCAPlE0aoFsDhvDCf3oCy6U3ythYNCZ19z Pq+Z8+tiDEGMpxDPLipRYuiOwdCvwDd9YN3ECQ== Message-ID: <firstname.lastname@example.org> From: "Michael Parris" <email@example.com> To: <firstname.lastname@example.org> Subject: Nguyen Manh Thang Date: Tue, 29 Jan 2019 04:40:19 +0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8b71186231e5ca598580c9775387b57def7f" X-DKIM-Status: pass [(v-kamen.ru) - 126.96.36.199] X-Virus-Scanned: Clear (ClamAV 0.100.2/25339/Mon Jan 28 19:32:47 2019) X-Spam-Score: 0.9 (/) Delivered-To: email@example.com --8b71186231e5ca598580c9775387b57def7f Content-Type: multipart/alternative; boundary="aa723bb795e6ccc5797cca668084aebabce733" --aa723bb795e6ccc5797cca668084aebabce733 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MD Shahjahan Mallick --aa723bb795e6ccc5797cca668084aebabce733 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
--aa723bb795e6ccc5797cca668084aebabce733-- --8b71186231e5ca598580c9775387b57def7f Content-Type: application/octet-stream; name="wvMwB.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="wvMwB.pdf".... MDAwMDE3MTUgMDAwMDAgbiAKMDAwMDAwMTg2MiAwMDAwMCBuIAowMDAwMDAyMDgzIDAwMDAwIG4g CjAwMDAwMDI0MzQgMDAwMDAgbiAKMDAwMDAwMjY5NCAwMDAwMCBuIAowMDAwMDAyODQ4IDAwMDAw IG4gCjAwMDAwMDMwNzQgMDAwMDAgbiAKMDAwMDAxMTQwOCAwMDAwMCBuIAp0cmFpbGVyCjw8Ci9J RFs8MTlERTgyNDMwRDE1NDk0RjkxNUVDQkQyNjJBQjBGQzQ+PDE5REU4MjQzMEQxNTQ5NEY5MTVF Q0JEMjYyQUIwRkM0Pl0KL0luZm8gMSAwIFIKL1Jvb3QgMiAwIFIKL1NpemUgMTgKPj4Kc3RhcnR4 cmVmCjIzNTU3CiUlRU9GCg== --8b71186231e5ca598580c9775387b57def7f--
whois 188.8.131.52 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '184.108.40.206 - 220.127.116.11' % Abuse contact for '18.104.22.168 - 22.214.171.124' is 'firstname.lastname@example.org' inetnum: 126.96.36.199 - 188.8.131.52 netname: SELECTEL-NET descr: Selectel MSK country: RU admin-c: CMH-RIPE admin-c: KS9134-RIPE tech-c: SA32710-RIPE status: ASSIGNED PA remarks: mnt-by: MNT-SELECTEL created: 2016-05-23T13:16:19Z last-modified: 2017-04-17T17:13:30Z source: RIPE role: SELECTEL-NOC address: Russia, Saint-Petersburg, Cvetochnaya st. 21 admin-c: CMH-RIPE admin-c: KS9134-RIPE tech-c: CMH-RIPE tech-c: KS9134-RIPE nic-hdl: SA32710-RIPE mnt-by: mnt-selectel created: 2015-01-19T15:40:16Z last-modified: 2019-04-15T10:47:55Z source: RIPE # Filtered person: Cyrill Malevanov address: Selectel Ltd address: Cvetochnaya st. 21 address: 190000, Saint-Petersburg address: Russia phone: +78126778036 fax-no: +78126778036 nic-hdl: CMH-RIPE mnt-by: mnt-selectel created: 2005-10-24T12:00:08Z last-modified: 2015-01-19T15:37:28Z source: RIPE # Filtered person: Kirill Sizov address: 190000, Russia, Saint-Petersburg, Tsvetochnaya 21A phone: +78126778036 org: ORG-SL223-RIPE nic-hdl: KS9134-RIPE mnt-by: MNT-SELECTEL created: 2017-04-17T17:07:36Z last-modified: 2017-04-17T17:07:36Z source: RIPE # Filtered % Information related to '184.108.40.206/24AS50340' route: 220.127.116.11/24 descr: SELECTEL-NET-MSK origin: AS50340 mnt-by: MNT-SELECTEL created: 2018-07-03T09:20:01Z last-modified: 2018-07-03T09:20:01Z source: RIPE % This query was served by the RIPE Database Query Service version 1.94 (HEREFORD)