Skip to content

OPLIN 4Cast #214: PDF malware

Posted in 4cast

skull in Adobe logoThese days, when you click to download a PDF file from the web or your e-mail, your computer may well ask, “Are you really sure??” That happens because PDF files have been getting more and more dangerous lately as they become more and more popular as carriers of malicious software. It used to be that common executable (.exe) files were the carriers of choice for computer malware, but most e-mail software now blocks those. Lately, Portable Document Format has been on the rise as a delivery vehicle for malware. But since PDF is not a programming language, rather a file specifying how to render a page, how do you get it to do malicious things to a computer? The answer is to exploit weaknesses in the software (like Adobe Acrobat Reader) that processes the PDF file; the PDF file itself doesn’t do anything but deliver the exploit.

  • The rise of PDF malware (Symantec Connect/Fred Gutierrez)  “We have seen an ever increasing use of PDFs for malicious purposes over the past two years. During this time, we have tracked the growth and usage and have been constantly improving our detections to handle the different evolutions of these threats. We see new vulnerabilities related to PDF readers discovered on a regular basis, often being exploited in-the-wild before a patch is available.”
  • Adobe patches under-attack Reader bug (Computerworld/Gregg Keizer)  “The more notable flaw fixed in Reader 9.4.1 for Windows and Mac OS X was a bug that hackers have been leveraging since late October using malicious PDF documents. Those attacks have taken advantage of a flaw in Reader’s ‘authplay’ component. Authplay is the interpreter that renders Flash content embedded within PDF files. Successful attacks have dropped a Trojan horse and other malware on victimized Windows PCs.”
  • OMG WTF PDF: What you didn’t know about Acrobat (27th Chaos Communication Congress/Julia Wolf)  “PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V [antivirus] technology is extraordinarily poor at detecting these.”
  • 27C3: danger lurks in PDF documents (The H Security/Stefan Krempl)  “According to Wolf, however, the PDF standard has long had too many functions that can be exploited to launch attacks and wreak other havoc. These functions range from database connections without security features to options that can blindly trigger the execution of arbitrary programs in Acrobat Reader. The researcher said that other risks are generated through the support of inherently insecure script languages such as JavaScript, formats such as XML, RFID tags and digital rights management (DRM) technologies.”

Common sense fact:
Developers of PDF reader software are constantly changing their software to combat vulnerabilities. The wise computer user keeps her/his software up to date.