NEWS FROM THE LAB - Monday, June 2, 2008

Creating Malicous PDF Files Posted by Mikko @ 19:46 GMT

Yesterday's post discussed a mystery PDF file that was booby trapped to drop a backdoor.

Today we'll look at how these documents are created.

Here's an example of a tool called Y08-40 aka GenMDB.


When run, it displays this user interface:

y08-04 by Noble

The apparent purpose of this tool is to create trojanized PDF files. You select which EXE you want to embed, which PDF file you want to trojanize, and which platform you expect the victim to be using.

Cool. Now, the real question is this: How on earth did we get our hands on such a tool?

You'd never guess it.

We received it inside a trojanized PDF file.

Here's what we believe happened:

Someone, somewhere was using this tool for the first time.

They did a test run, selecting a random PDF file and a random EXE to create a trojanized PDF, just as a test.

As a random EXE, they selected — wait for it — GenMDB.EXE itself!

Then the perpetrator was probably curious to find out if the trojan PDF would be detected by virus scanners or not.

So he uploaded the trojanized PDF to an online scanner.

Hey, thanks. Keep up the good work.