Beware of Embedded PDF Malwares

Last month a security researcher Didier Stevens published a PoC PDF file which had executable embedded inside it. Though Metasploit framework already has this attack module to embed any executable inside a PDF file, the approached used by Didier Stevens is different and does not involve use of Javascript.

As JavaScript is not used, disabling JavaScript in the PDF viewer will not help. PDF viewers like Adobe Reader and Foxit Reader don’t allow to execute embedded binary files while “/Launch /Action” PDF commands ultimately run an executable.  A Launch action is used to run an application or opening or printing a document.

When PoC was tested in Adobe Acrobat reader, following warning box was displayed.

Stevens is also able to control the message displayed in the Warning Message Box. Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened. Foxit Reader is even worst and opens the file without any warning.

Attacker controlled warning message

Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).

PoC tested in my test environment

Two weeks before, security researchers started seeing emails claiming to be from Royal Mail with an attached PDF file. This attached PDF file has another attachment within itself named “Royal_Mail_Delivery_Notice.pdf”. This attached pdf files contained but obvious compressed executable.

This new trick is used  to install Zeus bot on victim computer once they open the attachment. This PDF uses the JavaScript function exportDataOject to save the attachment on the computer and once saved uses Launch/Action command to launch the saved copy of executable.

Having updated or latest version of Adobe and Foxit reader will not protect you from this attack as attackers are not exploiting any vulnerability to install bot on system; rather making use of the legitimate PDF specification.

The only way to prevent ourself from such attack is to disable opening of non pdf attachments option.

Workaround for Acrobat users

Beware of such emails and do not open PDF attachments originating from untrusted source.

References:

Rating 3.00 out of 5

2 Responses to “Beware of Embedded PDF Malwares”

  1. Rutuja Kulkarni Says:
    May 17th, 2010 at 4:13 am

    thanks for this helpful blog

  2. Jes Says:
    May 22nd, 2010 at 9:30 am

    Just want to say what a great blog you got here!
    I’ve been around for quite a lot of time, but finally decided to show my appreciation of your work!

    Thumbs up, and keep it going!

    Cheers

Leave a Reply

This entry was posted on Sunday, May 16th, 2010 at 7:43 pm and is filed under Information Security, Malware Techniques. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes