PDF Exploitation & Forensic Resources

A new report from security vendor ScanSafe indicates that attacks continue to increase, with a single user seeing 77 compromised websites in May of 2007, compared to 1024 sites in May 2009.  Data theft Trojan exposures increased from 0 in May 2007 to 307 events in May 2009.


ScanSafe Article:  http://www.scansafe.com/downloads/gtr/2009_AGTR.pdf



By far the new leader on the threat horizon is malicious PDF files exploiting flaws in Adobe Reader or Acrobat which outpaced the use of Flash exploits, and also grew to 80% of all exploits that the company encountered.  This trend most likely indicates a combination of the increasing availability of vulnerabilities in Adobe products and the continued popularity and acceptance of PDF files in both the workplace and home user sectors.  Attackers will exploit whatever is most exploitable.




From a criminal’s point of view, tactics have evolved from wide-scale attacks to today’s focused ‘business’ model, directly targeted like a marketing campaign, and driven by web-based malware kits capable of automatically enumerating applications and browser plug-ins, and serving up the appropriate exploits.  The optimization of malicious traffic has been an active strategy for several years, with the attackers realizing that the more exploits they introduce with their kits, the higher the probability of a successful infection.  The apparent preference for Adobe exploits is really a direct result of the market penetration of Adobe products, and the wide spread use of out-of-date PDF readers and Acrobat versions.


Case Study


Case in point is the continued use of CVE-2007-5659; CVE-2008-2992; CVE-2008-0015; CVE-2009-0927; and CVE-2009-4324.  These are not new exploits, and the choice to continue using these older exploits seems to imply a basis on metrics based on the hundreds of thousands of visitors hitting their fraudulent online properties.  In this case, why bother wasting money on picking up a zero day exploit on the underground market when they already know that millions of users are susceptible to two year old exploits?




Didier Stevens has provided a fantastic resource and tools for analyzing PDF files.  Some of these resources have been incorporated into VirusTotal.    Didier Stevens:  http://blog.didierstevens.com/programs/pdf-tools/


Ray Yepes has provided an excellent article for locating MYD files, mySQL database files used by Adobe Organizer to maintain information about PDF files that have been accessed.  

Ray Yepes:  http://www.issa.org/Library/Journals/2008/April/Yepes-PDF%20Forensics-Uncovering%20MYD%20files.pdf