June 2016

[Batalov]

Not a PDF file and not a packed file of any kind. Retrieved from two different machines, different locations.

Code:

/home/serge> file  TippingCanister.pdf
TippingCanister.pdf: data
/home/serge> md5sum  TippingCanister.pdf
9e26c5df8789afca60698e6f9e3c5da8  TippingCanister.pdf
/home/serge> ls -l  TippingCanister.pdf
-rw------- 1 serge serge  1080503 Jun 29 02:21 TippingCanister.pdf
/home/serge> bzcat TippingCanister.pdf
bzcat: TippingCanister.pdf is not a bzip2 file.
/home/serge> zcat TippingCanister.pdf

gzip: TippingCanister.pdf: not in gzip format
/home/serge> 7z l TippingCanister.pdf

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,4 CPUs)

Error: TippingCanister.pdf: Can not open file as archive
/home/serge> od -c TippingCanister.pdf |head
0000000   1 353   ,   j  \a 210 017 216   | 337 235 371 343 300 250 236
0000020 327 247 265   < 251   z   k 245 266   *   Z 256 337 346 213 027
0000040 235   n 213 247   u 252 362 231 374   q 263   ( 034 246 335 267
0000060 363   w 266 336   z   v 233   M 371 337 236   <   E 347 036 212
0000100 367 235   Y 347   v 364 233 247 333   M   z 323 275   5 337 317
0000120 264 323   M 006   1   0 332 265 345 236   w   o   I 272   } 264

I found %PDF string in the middle of the file and cut off the extraneous 1st part (approximately half of the file) - then yes, the rest is a PDF file.

Code:

/home/serge> ls -l  TippingCanister.pdf
-rw------- 1 serge serge 1080503 Jun 29 02:21 TippingCanister.pdf
/home/serge> vi TippingCanister.pdf
/home/serge> ll TippingCanister.pdf
-rw------- 1 serge serge 537033 Jul  5 08:01 TippingCanister.pdf
/home/serge> file TippingCanister.pdf
TippingCanister.pdf: PDF document, version 1.5

Looks ok now, but that's a dangerous thing for your "linkator" to have half a file of whatever (could be a virus) silently skipped and then show the rest of the file.

[LaurV]

Ha! You are right, right-clicking it and choosing "save" it also results in a 1 meg file for me, which is not a valid pdf, and it can not be opened by standard Acrobat reader/viewer. After purging the initial garbage, the file can be opened.

However, the embedded Firefox viewer says nothing, and opens the "malformed" file when I click the link. Neither nod32 (paid) nor avira (free) say anything wrong about it.

Did somebody find a new "exploit" for Firefox, or what?? haha... And I, who consider myself an "expert" in "virusology", took that stupid trap?

Now, if I click the link and open the file in Firefox (it opens ok) then "save" it from there, the file on disk is 500k, as you show above. Does FF's viewer (which is no other than adobe's acrobat plugin) automatically purge anything till it gets to "%PDF" string? Well I would not bet my life on it... but it may be so, when you click on the link, it looks for the "pdf" string, in which case the garbage is ignored.

Of course, here I did everything in a sandbox (after being warned by you). But I will have to see tomorrow at work what this thing did in my computer (if anything), because I didn't expect such thing to happen with a file on ibm web page, and of course didn't take any precaution when I clicked it (beside of the default antivirus from the company).

Maybe we have to notify ibm guys about this bullshit on their page. Hopefully they will not change it till tomorrow and I can reconstruct the same behavior at job, to see what "damages" I have done there. Now I go to bed, almost midnight here. Anyhow, I saved the malformed file for future analysis. I still hope I didn't damage anything, and I dream that it may be some "new features" of the pdf format (considering that at job I have newer tools, they always install the newest shit there). Yeah, I know that the chances are very limited... but man is free to dream.

Will keep you informed.

[Batalov]

Maybe it is a Mathematica file. (part ".m" or whatever file, and part .pdf)
I don't have Mathematica installed now, but you probably have it, and that's why you probably have a browser plugin, too, which deals with this web-content gracefully.

[a1call]

I have an expired trial version of Mathematica and for me the linked PDF opens transparently.

On the subject of the puzzle, it reminds me of playing around with partially liquid filled containers and trying to balance them on an edge on carpeting and feeling frustrated at the time as it seemed unexpectedly difficult compared to solid objects. Working on this puzzle made me realize that with partially liquid filled containers there is a sort of an avalanche effect. As soon as the COM passes the equilibrium point above the edge, liquid moves to the other side shifting the COM more and more. Now I realize that the solution would have been to fill the container fully for it to behave more stable on the edge like a solid. This would eliminate the avalanche effect and the COM would stay at the center of the container geometry regardless of the tilt angle.

[LaurV]

Well, for recordings, I didn't identify yet what the garbage is, beside of being garbage... but I have some idea.

Without it, the file looks the same.

Internet explorer, both 32 and 64 bits, say "wrong file, does not start with %pdf", after loading 1.3MB (?!?!? no mistake!) from the web. The saved file still has 1.0 meg. No idea why IE downloads 1.3 megs (the progress bar on the screen, as I don't use IE, didn't open it for ages, this is the first time when I see that progress bar when a "pdf" (or esle) is clicked.

I mistakenly informed you that the file, after open it with ff and save, is 500k. It is still 1 meg. I was looking to the wrong file. But ff will only open it if it is from the web. Now, ff without any plugins still open the file transparently, but ff in safe mode, will not.

After opening it with ff (click on it) and saving it from the viewer, trying re-opening it from local file will fails (?!? this is strange, same "plugin" should be used).

Now, the "garbage" does not try to do anything strange, it does not execute, does not read or write files, neither access resources nor registry. It is however occupying ~500k of memory.

The difference the job computer is that I have the CDF player installed there, and at home I don't. There at job, everything goes smooth. No other difference.

Well, spawning a new virtual disk with a fresh win7, fresh Firefox, no plugins, running it in VirtualBox. Trying to open the file, does not open. Installing CDF player. Trying to open the file - it does not work. For sure it is not a wolfram thing. Problem not solved. Anyhow, CDF files look inside more like xml, with headers and sections, not like binary garbage.

Now I am extremely curious what that piece of garbage is. Googling for "malformed pdf exploit" gives me a lot of scary things that malformed PDF files can do. This guy explains here why some viewers can open the file correctly, and miss the malformed part, and he has many tools to analyze such malformations in pdf files.

Symantec also has an alert about a malformed PDF file that can execute code in one's computer.

Still digging.

We should definitively inform IBM/ponderthis guys.

[LaurV]

Ok, case closed. It kept me awake all night.

That toy IS a virus. More exactly a backdoor. It targets Firefox itself, more specially the internal PDF viewer of it. On FF older then version 40, a malicious guy may be able to access your local file system after you clicked on that link in FF, when the internal viewer is enabled. It seems to go off at reset, it does not leave traces, so I have no idea if it replicates and how. It does not seem to try to send things out, or I didn't dig enough. It would be a bit stupid if it relays on the malicious guy being awake during I am viewing the file, to send the right commands to read my files, so I assume that I didn't dig enough. But I will stop here, anyhow.

That is (a part of) what I did:

Skipping over the part where I tested the older version of FF, most probably nobody here uses that.

A fresh windoze installation, with newest FF and nothing else (no adobe, no foxit, etc) in a VBox machine, can open the file very well and transparently and without any side-effect, if you go first to FF menu and click "Tools/Options/Applications" and enable internal viewer of FF, for PDF files. Firefox has an internal PDF viewer which is written in JavaScript (called pdf.js) which, when enabled, replaces the Acrobat reader. The idea from Mozilla was to have some "all in one" world platform or whatever, for viewing online documents. A good idea, in itself... The source being available in your FF install folder, many bad guys tried to exploit its "vulnerabilities". For the last one, Mozilla issued a patch in August 2015. So all the versions of FF updated after those dates are "immune" to the exploit, they look for the %PDF and %%EOF strings, and purge all the stuff which is off these borders, or it is not well delimited by streams (see pdf structure).

Note that other viewers (like foxit, for example) which start parsing the file from the end, and look for %%EOF part, may also open the file correctly. This particular file has few bytes of "garbage" after the %%EOF too, beside of the 500KB at the beginning. Those few bytes are responsible of starting the malicious code in a vulnerable browser.

Other browsers will not open the malformed file (we summarily tried IE and chrome). FF without internal viewer enabled will not open the file too (it passes it to the external viewer, which signals an error, unless that external viewer is able to open the file itself).

So, at last, I was a lucky son of a gun, and I didn't damage anything here.