Pdf readers are commonly used, and so far this year, they have been a highly abused third party plugin. Tens of thousands of malcrafted pdf exploits have been prevented from running by ThreatFire on our community systems so far this year. This information is being presented to encourage our users to upgrade their pdf reader software to the latest version and remind them of the versions available.
Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.
Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):
Reader v9 less than 1%
Reader v8 48%
Reader v7 50%
We also see a number of banking/identity password stealers delivered via malcrafted pdf files, with Zbot leading the charge, followed by a variety of Hupigon stealers and FakeAV.
This morning, we witnessed v9 exploited on multiple users’ desktops by malcrafted pdf files with the shellcode downloading a gaming password stealer from hxxp:(slashslash)202(dot)67(dot)215(dot)110(slash)caonimabi.exe. This link is live and serving malware — DO NOT download and run it.
And on a more recent trend, malcrafted pdf files will download more exploit code. For example, malcrafted pdf files generated by the LuckySploit exploit pack will pull down more javascript served at 72(dot)233(dot)79(dot)18(slash)prn(slash), and wreck more havok, installing a rootkit to hide more downloaders installed on the victim system.
So what techniques are employed most frequently in the shellcode?
The shellcode is generally around 215 bytes long, following a lengthy nop sled. UrlDownloadToFile, ShellExecute and WinExec are the most commonly implemented api calls in the malicious pdf based shellcode that we’ve examined.
If you have installed pdf reader software on your system, no matter how often you think that you use them, please be sure to upgrade. It’s useful stuff so it’s ubiquitous, and become a common target of commodity exploit kits.
Why is nobody posting vulnerability information or data regarding Acrobat 6?
It may not be the current version, but it still opens the vast majority of pdf files currently being published, and if it’s vulnerability profile is reduced compared to versions 7 through 9 then there is no reason not to consider using it as an alternative to the (apparently) more vulnerable versions.
I have tested win98/Acrobat 6.0.2 against some of the proof of concept examples that are available and have not found them to function as designed.