PDF hack executes an embedded executable

MrBrian · Apr 11, 2010

Are PDF’s Worm-able?

My thought was that it may very well be possible to launch an attack internally from one PDF onto another already existing PDF. I emailed Didier with my idea and some of the specifics, and he said it was definitely possible.
Click to expand...

Implications of Recent PDF /Launch Hacks

If we add in the complications this style of attack will bring to our incident response teams and processes we have one nasty mess on our hands. Let’s say the attack did in fact work and now all PDF files residing on the user’s computer are infected with this malicious code, and that the second stage of this attack is the retrieval of a Trojan from a server out on the internet upon successful exploitation. It is very likely that at some point in time our Antivirus software or a network monitoring device such as an IDS will detect the Trojan. This detection will most likely either spawn the incident response team to take action by verifying the Trojan was quarantined by our antivirus software or that the machine is reimaged with our standard corporate image. Does this really address the situation at hand? Not really, since both of these responses will not address the infected PDF files that is facilitating the attack, or in simple terms the infection vector. Even if the system was reimaged it is a common practice for the incident response team to back up and restore all files they do not suspect as being malicious and/or involved in the attack back on the users system. Do you really think the incident response team will suspect every single PDF file on the user’s computer as being involved? I seriously doubt it. The other aspect that needs to be taken into account with this attack scenario is that by cleaning the user’s computer the attacker will be alerted to the fact that you have now detected his or her activity since the Trojan will no longer be accessible to the attacker. This informs the attacker that it is now time to change and/or modify the Trojan being downloaded from the Internet by the exploit pack to evade detection once again and then it is just a matter of time before the user reopens one of those trusted PDF files and becomes a victim once again.
Click to expand...

Rasheed187 · Apr 14, 2010

By what? adobe reader? SRP? AppLocker? AntiExacutable? Some HIPS programm? or any other software?
Click to expand...

@ Jav

It´s blocked by good old SSM. Of course, like said before, this is not really an advanced attack, but I´ve even tested SSM against a buffer overflow attack on Winamp, and guess what, SSM easily blocked it.

@ Rmus

Thanks for the feedback.

Jav · Apr 14, 2010

Rasheed187 said:

@ Jav

It´s blocked by good old SSM. Of course, like said before, this is not really an advanced attack, but I´ve even tested SSM against a buffer overflow attack on Winamp, and guess what, SSM easily blocked it.
Click to expand...

Thank you for you answer

It seems my knowledge lacks on this.
Can you tell what "SSM" stands for in this context?

EDIT: oh, I think you meant http://en.wikipedia.org/wiki/System_Safety_Monitor ?

MrBrian · May 1, 2010

Major malware campaign abuses unfixed PDF flaw

Log in or Sign up

PDF hack executes an embedded executable

MrBrian Registered Member

Rasheed187 Registered Member

Jav Guest

MrBrian Registered Member

Log in or Sign up

PDF hack executes an embedded executable

MrBrian Registered Member

Rasheed187 Registered Member

Jav Guest

MrBrian Registered Member

Useful Searches