Beware The Evil PDF

It is a good idea to remain aware and vigilant of current attacks and recent threats in this Internet connected world, both at home and at work. 

Researchers have recently released information pertaining to PDF documents as an attack vehicle due to the uncovering of multiple vulnerabilities and design flaws, and the popularity of the PDF file format.  PDF documents are being used for a multitude of purposes, from delivering marketing materials to industry and internal reports.   The PDF file format is generally viewed to contain static text and graphics.  This popularity, acceptance by the general population, perception of static content, and ability to deliver malicious payloads has made them a very attractive target for those in the business of fraud and theft.

Analysts have recently alerted on a massive increase in specific malicious PDF spam attacks. The subject lines of these spam emails is “setting for your mailbox are changed” and the body contains something to the effect that “SMTP and POP3 servers for {account-name} mailbox are changed.  Please carefully read the attached instructions before updating settings.”  The attached PDF file is malicious and introduces malware to the system that steals credentials and connects the system into a botnet to remotely control the system.  The IBM X-Force team has posted a blog article detailing the nature of this mass spamming attack, which is still ongoing. 

At work most of us have multiple layers of protection; our email gateway filters out email with specific subject lines, known contents, and identifies malicious files.  A number of Intrusion Detection Systems (IDS) signatures will also trigger on malicious payloads or characteristics, alerting security staff to take action.  Desktop Anti-Virus quietly quarantines malicious files that it identifies at the desktop level.  While the exploit in the malicious payload is novel and takes advantage of a recently exposed problem with the PDF /Launch command, the spam attack itself appears to be largely conventional and addressed to a broad range of email addresses and domains.

At work, if you notice anything unusual, contact your HelpDesk right away.  At home, watch for and delete these spam messages without opening the attachments, download PDF files only from Internet sources that you trust, keep your personal Anti-Virus products up to date, and if suspicious pop-ups or other unusual activities appear while opening a PDF (or any other) file, turn the system off rather than clicking on any provided buttons.  While this particular attack is relatively easy to spot, other attacks exploiting this vulnerability are likely to arise before long, and users should follow Adobe’s instructions to disable this feature.  Auto-run on USB devices should also be disabled (see Microsoft Support for instructions on how to do this). Please refer to the articles below for more information.

2 thoughts on “Beware The Evil PDF

  1. Informative post. Thanks for sharing. It is a shame that PDFs were targeted as that is one of the few things that some of the new users that I deal with were comfortable with.

    • Yes, PDF files are very popular, and the typical user assumes that because they can’t edit them like Word documents, they are limited in what they can do. Not so. This is not the first very serious vulnerability or flaw that we have seen with Adobe products, and it will definitely not be the last. There are several teams of “researchers” that are pouring over PFD files in an effort to find more dangerous flaws. Microsoft just yesterday was actually tickled pink to announce that more than 46% of the browser-based exploits during the second half of 2009 were aimed at vulnerabilities in the free Adobe Reader PDF viewer.

      In 2007 and 2008, only 2% of all malware that included a vulnerability exploit leveraged an Adobe Reader or Acrobat bug. That figure jumped to 17% in 2009 and to 28% during the first quarter of 2010.

      I no longer use Adobe Reader for PDF viewing.

Comments are closed.