Topic: Prevalence of Exploited PDFs

[Samker]

While the threat landscape has changed dramatically over the past years, attackers are becoming increasingly aggressive in exploring ways to get into users’ system. A spammed email with an EXE attachment no longer penetrates the wider network or users, now that most home users and enterprise networks have a certain level of awareness on information security. But, how about spamming an exploited file like a PDF?



The incidents of exploited PDF files are not isolated. Instead, there has been a consistent prevalence and recurrence of this threat. So, what are the vulnerabilities being exploited? Most of the malicious PDF files we see exploit a known buffer overflow vulnerability in the "Collab.collectEmailInfo()" function which can be found in the Adobe PDF Reader JavaScript engine. This vulnerability was discovered in February of this year and was related to CVE-2007-5659 and CVE-2008-0655.

As shown in the screenshot below, the malicious stream data contains JavaScript that attempts to attack vulnerable versions and thereafter execute its embedded shellcode. Attackers often reuse the exact code and only change its payload.



Another vulnerability being constantly exploited is URI (Uniform Resource Identifier) handling, where attackers misuse “mailto” in order to execute commands. Here’s the screenshot of the malicious object inside the PDF file and the command executed behind these strings:





This vulnerability was discovered in September 2007 and was referred to CVE-2007-5020. The interesting part here is that these vulnerabilities only exist in Adobe Reader and Acrobat 8.1.1 and earlier, which means updating to a latest version will protect users’ systems. Unfortunately, this doesn’t stop the attackers in continuously serving this threat.

CA products detects the malicious PDF file as PDF/Pidief and PDF/CVE-2007-5020!exploit.

(CA)