Question about malicious pdf

Discussion in 'malware problems & news' started by exus69, Sep 23, 2011.

Thread Status:
Not open for further replies.
  1. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hello all,

    This question came up after I read this link:
    https://www.us-cert.gov/cas/techalerts/TA10-279A.html

    Why is a pdf file not recommended to be opened inside a browser whereas the same file can be downloaded and openend separately? I mean if the pdf file is malicious it WILL harm the system whether opened inside the browser or separately right??

    Please help
     
  2. wat0114

    wat0114 Guest

    No expert here, but the way I interpret it is that the browser opening is potentially more dangerous because it's automatic by default in IE, thus the suggestion to mitigate the problem by disabling that feature in the browser.
     
  3. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hi wat,

    What difference does it make if the malicious pdf is opened automatically or manually? If it's bound to damage your system, opening the malicious pdf manually and not automatically in the browser will only delay the inevitable by a few seconds...
     
  4. wat0114

    wat0114 Guest

    Maybe the browser plug-in could be exploited? I'm only speculating, of course.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That is correct, and I think the advisory covers both scenarios:

    As you say, the file can be downloaded, but you have the choice to do so or not.

    Whereas,

    In this scenario, it is opened without any action on your part.

    In both cases, the malicious code will run the exploit if other measures are not in place.

    The Advisory's suggestion to disable PDF files from displaying in the browser
    prevents the file from opening automatically,
    and results in the user being prompted to open the file,
    should the user encounter one on a compromised website:

    [​IMG]

    To which the Advisory concludes,

    regards,

    -rich
     
  6. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    It's to cover all the circumstances in which a PDF exploit can be used to infect your system.

    Just to add to Rmus's post, security about PDF readers isn't just dealing with the risk of a maliciously crafted PDF either.

    If a trusted site had been hacked and had a script added to run a particular Exploit Kit - then when you visited that site, the Exploit Kit would attempt to exploit any known vulnerabilities in the PDF plugin in the browser.

    For that reason it's generally safer not to even have a PDF plugin installed, but it's also perfectly reasonable to mitigate this threat with things like Noscript, a sandbox, or some kind of anti-executable/firewall.

    Just take a look at these stats from a malware server, a decent proportion of the successful exploits were due to vulnerabilities in the PDF plugin:
    http://labs.m86security.com/wp-content/uploads/2011/06/Statistics.png

    The popular myth is that Adobe Flash and PDF are the most insecure apps, but notably Sun Java is actually the most exploited application from all the stats I've seen.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi RJK3,

    Nice summary of the current scene.

    I haven't looked at exploit kits in a while - in the past, the payload has been trojan executables. Has anything changed? Your link doesn't give details about the payloads.

    If the payloads have not changed, then it really doesn't matter which software vulnerability is being exploited,
    since the protective measures you've mentioned take care of the problem, should the user be caught without the current update of the software:


    ie8_javaExpl.jpg


    regards,

    -rich
     
  8. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    Hi Rich - I suppose not much has changed then in terms of payloads. Also probably many of the vulnerabilities from when you last looked are still being successful today.

    That particular stats page was from a Blackhole Exploit Kit, which usually leads to a banking trojan such as Zeus/Zbot.

    Most of the people I help post-virus infection think that security starts and finishes with an antivirus; I can easily imagine many of them simply clicking 'allow' when presented with such a message :)
     
  9. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Sorry for late reply. So the question is if a malicious pdf file,
    which exploits the pdf browser plugin is saved and opened
    separately, will it cause any problems or not ?
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It depends!

    • If opened in a PDF Reader other than Adobe, probably not, since exploits against other Readers are not so widespread.

    • If opened in a current version of Adobe with Sandbox, probably not, since it is supposed to contain the malware within its sandbox.

    • If opened in an older version of Adobe, several things might happen (assuming the vulnerability is not patched):

      • If the code inside the PDF file attempts to connect to the internet to download malware, a firewall that monitors outbound connections will alert:


        [​IMG]

      • If no firewall, or if the PDF file has a malware executable embedded, then other protection will be needed to block it.

    So, various scenarios are possible!

    regards,

    -rich
     
    Last edited: Oct 15, 2011
  11. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Thx for the quick reply Rmus :)

    Am using LUA/SRP/Sandboxie/NIS 2012/EMET/Secunia PSI
    in Win XP SP3. Do you think a vulnerable pdf browser plugin
    being exploited will affect a system with above security
    config?
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I know that Sandboxie is supposed to contain any malware that executes, and SRP is supposed to be effective as Default-Deny, but I have not tested any of those solutions myself, so I can not speak with any first hand knowledge.

    regards,

    -rich
     
Loading...
Thread Status:
Not open for further replies.