

The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor - yread
https://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_Micro_Backdoor

======
justanother
Intriguing article about dissection of an advanced piece of malware that
exploits a 0day PDF vulnerability. The punchline comes at the bottom of the
article, which instructs us to click a link to read a PDF for more
information.

~~~
lispm
The vulnerability is in Adobe Reader. PDF is a file format and there are other
readers.

~~~
cschmidt
Are other readers more secure? Which would you recommend? I'm sure Adobe
Reader gets more attention from the bad guys, because of market share. Is
Apple's Preview any better (that's what I usually use)?

~~~
vy8vWJlco
It's hard to beat a static PNG via the browser, rendered from Far Far Away, on
Google's servers...

[https://docs.google.com/viewer?embedded=true&url=https:/...](https://docs.google.com/viewer?embedded=true&url=https://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf)

Given the volume of PDFs Google must render, I wonder if they have had any
security issues from the service.

~~~
kordless
Yeah, because the image viewers are always secure, right?
[http://technet.microsoft.com/en-
us/security/bulletin/MS09-06...](http://technet.microsoft.com/en-
us/security/bulletin/MS09-062)

~~~
apendleton
As far as this discussion is concerned, yes. Exploiting a vulnerability that
requires specially-crafted images isn't practical if the images are being
generated by Google. You would need to find a vulnerability in Google's PDF
renderer that let you cause it to generate an image that contained an
additional exploit mechanism that would take advantage of the GDI bug. Sounds
highly improbable.

------
EvanAnderson
I found the user of Twitter and Google as dead drops interesting. They're both
easy channels to disrupt to prevent the malware from receiving instructions,
though.

I used to speculate in conversation that USENET was just about the best dead
drop on the net (actually, I think I heard Bruce Schneier make such a
reference in a talk on tradecraft he gave at DefCon one year) being so
decentralized. With the decline of USENET I've been hard-pressed to think of a
decentralized, distributed dead drop mechanism that malware could make use of.

~~~
roc
The problem with even decentralized things like USENET is that when so few
legitimate users leverage a thing, it stands out in traffic analysis.

Google and Twitter are great precisely because so many people use it. And if
the authors had the sense to keep the search terms region/topic-specific the
traffic would be nearly impossible to notice or filter, without the benefit of
hindsight.

------
csmattryder
These exploits are probably child's play for most security programmers, but I
haven't the first clue how these are built, deployed, C&C'd and it just blows
my mind how cool all these stages of control happen.

Are there any recommended 'Hacking for Dummies' book for learning more how
these things work? It's like a code version of Ocean's 11 to me!

~~~
GaveUp
I'm by no means an expert but these are some of the links/books I've found
informative.

Smashing The Stack For Fun And Profit [1] Reversing: Secrets of Reverse
Engineering [2] The IDA Pro Book [3]

The iOS Hacker's Handbook [4] was interesting as a sort of case study on
exploiting and hacking embedded hardware.

Mostly what I've found, though, is just starting with a question and googling
the answer yield the most results. For example, see mention of a stack
overflow attack google how and why stack overflow attacks work (or don't) and
once that side of things is understood the thought process behind finding them
becomes easier to understand, although not really easier to do (for me, at
least).

[1] <http://insecure.org/stf/smashstack.html>

[2] [http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-
Ei...](http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-
Eilam/dp/0764574817/)

[3] [http://www.amazon.com/IDA-Pro-Book-Unofficial-
Disassembler/d...](http://www.amazon.com/IDA-Pro-Book-Unofficial-
Disassembler/dp/1593272898/)

[4] [http://www.amazon.com/iOS-Hackers-Handbook-Charlie-
Miller/dp...](http://www.amazon.com/iOS-Hackers-Handbook-Charlie-
Miller/dp/1118204123/)

------
Scramblejams
FTA: "By analysing the logs from the command servers, we have observed 59
unique victims in 23 countries."

How does a random IT security company get logs from the command servers,
especially if they're located in Panama and Turkey, where receiving quick
cooperation from law enforcement is presumably difficult?

~~~
revelation
Well, the command server also had directory listing enabled. The bad people
just didn't bother with properly configuring their (hacked?) box.

~~~
ChuckMcM
Unclear that it was a mistake. Clearly the FBI or whomever would suponea
records of every machine that accessed those logs, by letting this 'leak' and
having lots of people then access the logs, which then gives the actual bad
guys a way to access them with plausible denieability.

Like kidnapping, malware has the problem with externally visibile trails that
you can't hide and still pull it off.

The story about the stuxnet C&C servers being setup as an advertising service
was clearly to throw off suspicions about random outcalls to those servers.

------
dageshi
<http://virus.wikia.com/wiki/29A>

These guys had the reputation to build something like this. The fact that a
large part of it is written in assembly along with the style of some of the
things it's doing makes me suspect this could be the work of members/ex
members. I'm guessing the author of this article might be hinting at this as
well, hence highlighting that particular op code.

But that's just my opinion, I've nothing to back it up with.

~~~
sebcat
29Ah is often used in various ways as a tribute of sorts to that group. Anyone
likely to write something like this is also likely to have "grown up" being
influenced by 29a.

Or maybe the writer just needed to align? I use 666 for dummy vals too.

------
martinced
How can users make sure they get rid once and for all of Adobe PDF reader?

It seems hardly a month goes buy without a major Adobe Reader exploit.

Most importantly: can you still keep Adobe Flash (e.g. for YouTube) but
disabling Adobe PDF reader and not have it re-install itself when upgrading
Flash?

~~~
elarkin
I've taken to using Chrome for Flash. It includes Pepper, a Google maintained
version of Flash. You will never be presented with an Adobe Reader prompt
again.

~~~
tomku
Pepper is NOT a "Google maintained version of Flash." Pepper is Google's newer
plugin API, and Chrome bundles a version of Flash that uses that uses
Pepper/PPAPI rather than Netscape/Firefox's NPAPI.

For more info, check out the Wiki page on NPAPI:
<https://en.wikipedia.org/wiki/NPAPI>

