Hacker News new | comments | show | ask | jobs | submit login
The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor (securelist.com)
72 points by yread 1693 days ago | hide | past | web | 30 comments | favorite

Intriguing article about dissection of an advanced piece of malware that exploits a 0day PDF vulnerability. The punchline comes at the bottom of the article, which instructs us to click a link to read a PDF for more information.

The vulnerability is in Adobe Reader. PDF is a file format and there are other readers.

Are other readers more secure? Which would you recommend? I'm sure Adobe Reader gets more attention from the bad guys, because of market share. Is Apple's Preview any better (that's what I usually use)?

It's hard to beat a static PNG via the browser, rendered from Far Far Away, on Google's servers...


Given the volume of PDFs Google must render, I wonder if they have had any security issues from the service.

Yeah, because the image viewers are always secure, right? http://technet.microsoft.com/en-us/security/bulletin/MS09-06...

As far as this discussion is concerned, yes. Exploiting a vulnerability that requires specially-crafted images isn't practical if the images are being generated by Google. You would need to find a vulnerability in Google's PDF renderer that let you cause it to generate an image that contained an additional exploit mechanism that would take advantage of the GDI bug. Sounds highly improbable.

It's very hard to write an exploit when executable, environment, and countermeasures are all unknown.

Have you looked at Mozilla's Javascript PDF renderer? By rendering in the hardened Javasccript VM, it dramatically reduces attack surface.

I believe Adobe's Reader has more support 'extensions' to PDF (e.g. embedding flash or javascript) than Apple, and that these things are often attack vectors. Preview should be immune to these.

Aside from that it's mostly market share - they're different code bases, so they'd need different attacks. There is a chance of buffer overflow issues in the font decoding, image decoding, certificate processing, etc. But outside of iOS, few people have made the effort to attack non-adobe PDF Readers.

Something like Chrome or Firefox is likely to be the most secure choice. Firefox's PDF reader is written in javascript, and I believe chrome's is sitting in a process that can't do anything to your machine. But I tend to just use Preview for stuff I've downloaded, because it's fast and I like the UI.

Adobe Reader is to PDF documents in the same way that Internet Explorer is to HTML pages...

Exploits are designed to target and exploit the consuming application of the malicious file, and are not executable by the file format itself (in these particular cases at least) in any arbitrary application that can open the file.

So odds are that a 0-day exploit of Adobe Reader using a specially crafted PDF will have no effect in Apple's Preview app, or another PDF viewer (unless the apps were all using an underlying shared library and that's where the exploit lived, but I don't think this is the case here).

I use Chrome usually, just assign .pdf to load as a file:\\ but if that doesn't render. I'll try my SumatraPDF http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-read... don't load if you don't like yellow!

No, there are not. FoxIt and similar 3rd party readers are not any more secure.

I found the user of Twitter and Google as dead drops interesting. They're both easy channels to disrupt to prevent the malware from receiving instructions, though.

I used to speculate in conversation that USENET was just about the best dead drop on the net (actually, I think I heard Bruce Schneier make such a reference in a talk on tradecraft he gave at DefCon one year) being so decentralized. With the decline of USENET I've been hard-pressed to think of a decentralized, distributed dead drop mechanism that malware could make use of.

The problem with even decentralized things like USENET is that when so few legitimate users leverage a thing, it stands out in traffic analysis.

Google and Twitter are great precisely because so many people use it. And if the authors had the sense to keep the search terms region/topic-specific the traffic would be nearly impossible to notice or filter, without the benefit of hindsight.

These exploits are probably child's play for most security programmers, but I haven't the first clue how these are built, deployed, C&C'd and it just blows my mind how cool all these stages of control happen.

Are there any recommended 'Hacking for Dummies' book for learning more how these things work? It's like a code version of Ocean's 11 to me!

I'm by no means an expert but these are some of the links/books I've found informative.

Smashing The Stack For Fun And Profit [1] Reversing: Secrets of Reverse Engineering [2] The IDA Pro Book [3]

The iOS Hacker's Handbook [4] was interesting as a sort of case study on exploiting and hacking embedded hardware.

Mostly what I've found, though, is just starting with a question and googling the answer yield the most results. For example, see mention of a stack overflow attack google how and why stack overflow attacks work (or don't) and once that side of things is understood the thought process behind finding them becomes easier to understand, although not really easier to do (for me, at least).

[1] http://insecure.org/stf/smashstack.html

[2] http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Ei...

[3] http://www.amazon.com/IDA-Pro-Book-Unofficial-Disassembler/d...

[4] http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp...

I'm a network security analyst. Either of these two books would be a good place to start. Also, if you are looking for a decent community for this type of thing, visit reddit.com/r/netsec.

Hacking: The Art of Exploitation, 2nd Edition


Hacking Exposed 7


This next site is basically Youtube for security conferences. They also offer some online courses on writing exploits in assembly and python, but not all of them are free.


Computer security is just like programming, you can obtain a world class education for free, from the Internet. You just have to know where to look.

I haven't read the books that the other guys mentioned, but I've seen them recommended so often that I'd bet they're worth a read as well.

What I find interesting is that the specifics of how the hack works are usually less interesting than the concept. Like in this case - the exploit I'm sure has been built on a lot of previous exploit-thinking and they simply found a little avenue to get a toehold onto these systems. All the really interesting stuff comes next, from the uniqueness of how complicated and resilient the attack is. Most malware is a numbers game and simply blasts computers in order to install toolbars for profit or whatever. Targeted malware like this is interesting because you can suss out the intent from the choices made.

For example: they really, really didn't want to be detected. Carefully constructed PDFs made to look as innocent as possible. Custom code for every computer makes the hack harder to profile. Tiny, tiny downloader.

Second, the command center approach. Command centers started out as IRC channels for botnets, but are easy to break up once you know the IRC channel name. So there was a lot of thought put into making the command center resilient to shutdown or takeover attempts. In other words, each node can be controlled and rerouted separately. The one error was the log that allowed the security people to see a list of controlled computers - that is a mistake that will probably be fixed in the future.

So for me this is interesting to watch at each step how the hacks are getting more complicated on all levels: the exploit, the control center and the unseen side of it - data gathering/analysis.

I picked up "silence on the wire" which felt like a good introduction to tcp level penetration.

FTA: "By analysing the logs from the command servers, we have observed 59 unique victims in 23 countries."

How does a random IT security company get logs from the command servers, especially if they're located in Panama and Turkey, where receiving quick cooperation from law enforcement is presumably difficult?

Looks like they left the connection logs on a public folder on one of the web command/control servers. From the PDF -

The C2s maintain a detailed, encoded log of the victims connecting to the servers. The logs are available to anyone who knows the exact filename. By collecting the logs from all the known command servers, we’ve discovered connections from several high profile networks belonging to ...

Well, the command server also had directory listing enabled. The bad people just didn't bother with properly configuring their (hacked?) box.

Unclear that it was a mistake. Clearly the FBI or whomever would suponea records of every machine that accessed those logs, by letting this 'leak' and having lots of people then access the logs, which then gives the actual bad guys a way to access them with plausible denieability.

Like kidnapping, malware has the problem with externally visibile trails that you can't hide and still pull it off.

The story about the stuxnet C&C servers being setup as an advertising service was clearly to throw off suspicions about random outcalls to those servers.


These guys had the reputation to build something like this. The fact that a large part of it is written in assembly along with the style of some of the things it's doing makes me suspect this could be the work of members/ex members. I'm guessing the author of this article might be hinting at this as well, hence highlighting that particular op code.

But that's just my opinion, I've nothing to back it up with.

29Ah is often used in various ways as a tribute of sorts to that group. Anyone likely to write something like this is also likely to have "grown up" being influenced by 29a.

Or maybe the writer just needed to align? I use 666 for dummy vals too.

How can users make sure they get rid once and for all of Adobe PDF reader?

It seems hardly a month goes buy without a major Adobe Reader exploit.

Most importantly: can you still keep Adobe Flash (e.g. for YouTube) but disabling Adobe PDF reader and not have it re-install itself when upgrading Flash?

Uninstall it. I'm not sure exactly what you're suggesting with your last line, but I have never heard of Acrobat Reader "re-installing itself" when upgrading Flash.

Edit: Just gave it a shot, installed and uninstalled Acrobat Reader 11, then updated Flash. Adobe Reader did not "re-install" itself and there was no prompt to install it.

I live without flash since 2 years. Its not so hard anymore now that youtube uses html 5 videos.

I've taken to using Chrome for Flash. It includes Pepper, a Google maintained version of Flash. You will never be presented with an Adobe Reader prompt again.

Pepper is NOT a "Google maintained version of Flash." Pepper is Google's newer plugin API, and Chrome bundles a version of Flash that uses that uses Pepper/PPAPI rather than Netscape/Firefox's NPAPI.

For more info, check out the Wiki page on NPAPI: https://en.wikipedia.org/wiki/NPAPI

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact