Poisoned PDFs? Here's Your Antidote
Attacks employing poisoned PDF files have leaped to the top of the threat list, according to statistics from major security companies. Symantec reports that suspicious PDF files skyrocketed in 2009 to represent 49 percent of Web-based attacks that the company detected, up from only 11 percent in 2008. The next-most-common attack, involving a good old Internet Explorer flaw, was far behind at 18 percent.
In a typical scenario, crooks might hijack a legitimate site and insert a PDF file made to exploit flaws in Adobe Reader. They then link to that PDF via social-engineering lures such as spam or comments on a blog or social network. Even astute users who check the link would see a legit domain. Not knowing the site was hacked, they would be more likely to download and open the file.
Now, a new threat allows for launching malware hidden inside a PDF file. In this type of attack, discovered by researcher Didier Stevens, opening the PDF file triggers an attempt to install the malware. The action causes Adobe Reader to produce a confirmation pop-up, which gives you a chance to halt the attack by clicking the ‘Do Not Open' button--but Stevens found that attackers could tweak the pop-up's message. His example reads, "To view the encrypted message in this PDF document, select ‘Do not show this message again' and click the Open button!" Using such a message, attackers could allay potential victims' suspicion.
Here's the kicker: This embedded-file threat makes creative use of functionality built into the PDF standard. As such, it works not only on Adobe Reader but on other PDF readers, too, even if they're up-to-date. The makers of the Zeus Trojan horse are already using this new technique to spread their evil software.
How to Fight the New Threat
Changing a program setting in the current version of Adobe Reader can help. Head to Preferences, Trust Manager, and deselect Allow opening of non-PDF file attachments with external applications. See the Adobe Reader Blog for more details.
The latest 3.3 update for the Foxit PDF reader also has a new Safe Reading setting--enabled by default under a new Trust Manager section in the preferences--that likewise blocks embedded programs from running.
Since traditional PDF exploits almost always hunt for one of the many holes in Adobe Reader, using an alternative PDF program is a good idea. But it's no guarantee of safety. When the embedded-file attack first surfaced, Foxit didn't even display a confirmation pop-up--it simply allowed the attack to proceed. Whichever reader you use, it's vital to keep it up-to-date. Both Adobe and Foxit are working on new security features to further mitigate the embedded-file risk.
Finally, a good antivirus program may stop a malicious PDF before it can launch an attack. And VirusTotal.com is excellent for scanning any downloaded or e-mailed file with a multitude of antivirus engines. Regardless, always back up your defenses with your own good sense.