Creating malicous PDF files

June 2, 2008 – 1:10 PM

Yesterday’s post discussed a mystery PDF file that was boopytrapped to drop a backdoor.

Today we’ll look at how these documents are created.

Here’s an example of a tool called Y08-04 aka GenMDB.

genmdb

When run, it displays this user interface:

y08-04

The apparent purpose of this tool is to create trojanized PDF files. You select which EXE you want to embed, which PDF file you want to trojanize and which platform you expect the victim to be using.

Cool. Now, the real question is this: How an earth did we get our hands on such a tool?

You’d never guess it.

We received it inside a trojanized PDF file.

Here’s what we believe happened:

Someone, somewhere was using this tool for the first time.

They did a test run, selecting a random PDF file and a random EXE to create trojanized PDF, just as a test.

As a random EXE, they selected – wait for it – GenMDB.EXE itself!

Then the perpetrator was probably curious to find out if the trojan PDF would be detected by virus scanners or not.

So he uploaded the trojanized PDF to a an online scanner.

Hey, thanks. Keep up the good work.

Source: F-Secure Blog

You must be logged in to post a comment.