Internet Security Systems - AlertCon(TM)

Stopping PDF Malware At The Network

Posted by John Kuhn on November 05, 2008 at 2:15 PM EST.

Working in the Security Operations Center and actively monitoring thousands of devices across hundreds of disparate customer environments gives me a unique perspective on global threat activity.  For a few months now we have been observing an increase in web browser attacks in general and an onslaught of attacks using malicious PDF files in specific.  It is not uncommon for the exact same malicious website, IP address, or file to appear in “attacks” against many of our customers in the same period of time.  This article/post will discuss the use of malicious PDF files in attacks, including discussion of a few of the vectors that contribute to this global threat pattern.

A large number of crimeware tookits have included 2 or 3 recent PDF exploits for use in compromising machines.  These crimeware toolkits are bundles of exploits and malware that can be easily re-used by malicious parties to attack and compromise hosts – think Metasploit with the altruistic intentions removed. These toolkits are utilized for many different reasons; the ease of use and success rate is a big motivation.  Many people utilize them to install malware at a global level, such as fake antivirus software.  In this case the attacker would be paid for each install that was successful, and the owner of the software would be paid by the compromised user thru nefarious means.  Botnet owners also benefit from these toolkits providing a quick and easy way to grow their malicious networks.  However it’s used, the objective is usually financially and sometimes politically driven.

Recently a domain by the name of googgle.su (190.183.63.220) grabbed my attention; this site currently hosts a file called “pdf.php”.  When a user visits this malicious site, it trips a number of signatures on the IBM Proventia NIPS, HIPS, and UTM product lines.  These prevention technologies function in several different ways including JavaScript emdedded within a malicious PDF, detection of JavaScript obfuscation within a PDF, and the detection of malicious shellcode using our Shellcode Heurisitcs (SCH) technology.

The malicious PDF file attacks are also appearing across our customer set in email.  This appears to be sourcing from Malicious/Phishing Email attacks utilizing stolen or harvested email addresses and is equally effective at compromising a host once the recipient is tricked into viewing the PDF file.

This video demonstrates the APSB08-19 (http://www.adobe.com/support/security/bulletins/apsb08-19.html) exploit by opening a proof of concept malicious pdf. 

 

Upon closing the pdf, you'll notice that Adobe remains running, meanwhile executing the embedded javascript and shellcode.  Once finished, calc.exe is executed without any interaction from the user, this could be replaced with remotely downloaded malware, or executing a more deviant local command.

Because of the ease and low level of attacker interaction required, exploiting a system through the web browser and active browser plugins is a drastically rising trend.  Keeping patches and AntiVirus products updated is a must.  Keeping your NIPS devices properly tuned for your environment is often another effective and efficient way to prevent these exploits before protection via software patch or AV signatures are available.

Will the browser ever be safe?  It’s not likely, but using a browser that does not implement or use ActiveX will drastically increase security.  With the downturn in the economy the lure of making a quick dollar thru setting up a malicious website is attractive to any IT savvy person in need.

In future articles I will dissect some of the crimeware kits and show how they work at the programming and server level.  Understanding their attacks and methods of exploitation is essential in protecting yourself, and users in your network. 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.