ThreatFire Research Blog Home
 
 
« Waledac Spam Delivery Estimates
Much Tedroo about Nothing »

PDF Reader Exploitation 2009

Pdf readers are commonly used, and so far this year, they have been a highly abused third party plugin. Tens of thousands of malcrafted pdf exploits have been prevented from running by ThreatFire on our community systems so far this year. This information is being presented to encourage our users to upgrade their pdf reader software to the latest version and remind them of the versions available.

Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.

Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):

Reader v9 less than 1%
Reader v8 48%
Reader v7 50%

This list does not mean that Acrobat Reader 7 is the most vulnerable of the versions. As a matter of fact, the top five subversion info, in order of highest number of incidents, is 8.1.0.137, 7.0.8.218, 7.0.0.0, 7.0.5.172, 8.0.0.456. However, it may tell us that the highest number of users that install ThreatFire continue to use one of the version 7 products and seeing it attacked. If you are using any of the Adobe Reader versions, please upgrade to the latest at their web site.

Some of the most common payloads for the exploits’ shellcode are downloaders. Unfortunately, that leaves the explanation a bit hazy, because by definition, a downloader simply pulls down more software and “loads” it. Well, from our vantage point, most commonly the downloaders fetch and install FakeAV software, otherwise called rogueware. One example that we discussed last year was an Antivirus 360 downloader, which seemed to replace the Antivirus 2009 attacks. Current examples are sites delivering downloaders like hxxp:(slashslash)f-o-r(dot)ms(slash)xrun.tmp
We also see a number of banking/identity password stealers delivered via malcrafted pdf files, with Zbot leading the charge, followed by a variety of Hupigon stealers and FakeAV.
This morning, we witnessed v9 exploited on multiple users’ desktops by malcrafted pdf files with the shellcode downloading a gaming password stealer from hxxp:(slashslash)202(dot)67(dot)215(dot)110(slash)caonimabi.exe. This link is live and serving malware — DO NOT download and run it.
And on a more recent trend, malcrafted pdf files will download more exploit code. For example, malcrafted pdf files generated by the LuckySploit exploit pack will pull down more javascript served at 72(dot)233(dot)79(dot)18(slash)prn(slash), and wreck more havok, installing a rootkit to hide more downloaders installed on the victim system.

So what techniques are employed most frequently in the shellcode?
The shellcode is generally around 215 bytes long, following a lengthy nop sled. UrlDownloadToFile, ShellExecute and WinExec are the most commonly implemented api calls in the malicious pdf based shellcode that we’ve examined.

If you have installed pdf reader software on your system, no matter how often you think that you use them, please be sure to upgrade. It’s useful stuff so it’s ubiquitous, and become a common target of commodity exploit kits.

This entry was posted on Wednesday, March 11th, 2009 at 12:06 pm and is filed under Commodity Kit, Exploit, Incident, Malware Estimates, Vulnerability. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “PDF Reader Exploitation 2009”

  1. Joe says:
    March 16, 2009 at 3:52 pm

    Why is nobody posting vulnerability information or data regarding Acrobat 6?

    It may not be the current version, but it still opens the vast majority of pdf files currently being published, and if it’s vulnerability profile is reduced compared to versions 7 through 9 then there is no reason not to consider using it as an alternative to the (apparently) more vulnerable versions.

    I have tested win98/Acrobat 6.0.2 against some of the proof of concept examples that are available and have not found them to function as designed.

Leave a Reply

Click here to cancel reply.
 

  • Blog Archive

    • November 2009
    • October 2009
    • September 2009
    • August 2009
    • July 2009
    • June 2009
    • May 2009
    • April 2009
    • March 2009
    • February 2009
    • January 2009
    • December 2008
    • November 2008
    • October 2008
    • September 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
    • March 2008
    • February 2008
    • January 2008
    • December 2007
    • November 2007
    • October 2007
    • September 2007
    • August 2007

  • Search This Blog

  • RSS Subscribe Now

    • Koobface on Yuotube
    • Spamvertizing Social Networks and Why Legitimate Money Will Help Clean Them Up
    • Zbot: Not Your Typical Malware

  • Categories

  • About ThreatFire

    ThreatFire™, features innovative real-time behavioral protection technology that provides powerful standalone protection or the perfect complement to traditional signature-based antivirus programs.

    ThreatFire's patent-pending ActiveDefense™ technology offers unsurpassed protection against both known and unknown zero-day viruses, worms, trojans, rootkits, buffer overflows, spyware, adware and other malware.

    Learn more...

  • Blogroll

    • AV-Comparatives weblog
    • Bill Mullins’ Weblog – Tech Thoughts
    • Security Response Blogs
    • Swatkat’s rants
    • ThreatExpert Blog

  • Links

    • AMTSO
    • AV-Test
    • Frank Boldewin’s Reconstructor
    • PC Tools
    • ThreatExpert
    • ThreatFire
    • Virus Bulletin
 
Subscribe to:
Posts (Atom) 		Entries (RSS) and Comments (RSS).