About That PDF Thing

At PH-Neutral, I recently presented a bunch of information about how no two PDF readers will see a PDF file in the same way. Which is useful if you're trying to sneak an exploit past a smart A/V scanner. [Unfortunately, most A/V scanners are not even smart enough to find an exploit sitting in easy-to-read plaintext at the top of a well-formed file.]

Someone took a picture of one of my slides, which has been quite popular, based upon the number of retweets and views.

So, I'll explain how this works, for the benefit of everyone who wasn't there at the time&hellip

In March earlier this year, Spanish police arrested three men linked to the Mariposa botnet. After this move it was widely believed that the massive botnet had shutdown.  From what I have seen over the last week, that is not the case.  Some Mariposa CnCs are still active and spreading.  The screen shot below is a snapshot of a Mariposa sample (ad7a5b6755089ba83001f224a7067ec1) communicating to its CnC.  On this occasion it received a command to spread through USB.

 

The Little Picture

I have a huge pile of notes on various types of malware and exploits. Meticulous details from where I look with my [metaphorical] microscope, but not a lot of big-picture stuff, because that usually takes much more time than just reading through a hexdump. So, I'm going to write a series of blog posts like these, looking at the little picture. Some of my explanations might be a little bit terse. I have a bad habit of going: "Here, look at this disassembly, isn't it obvious what it's doing". But, teaching how to read this stuff is a lot of work. So, I hope you don't find reading this to be too tedious if I'm short on explanations.

Some notes on Neosploit 2.0

The Attack Scheme

So, you're browsing along, and you hit an advert like http://ad.yieldmanager.com/iframe3?7VxIANuGDAAF9EgAAAAAA[A long Base-64 string goes here…]e7f9 which directs you to a page like http://ndpwrgg.info/images/wait.html, which looks like this: