Hackers May Use Malicious PDFs to Expand Malware

According to the warning issued by the Product Manager at the security firm 'NitroSecurity', Jeremy Conway, Internet fraudsters might use Portable Document Format (PDF) files to circulate malware so as to clean up PDF files that stored on the target system that runs Foxit Reader PDF software or Adobe Acrobat Reader, as reported by the cnet news on April 5, 2010.

He, in fact, developed an evidence of the concept for an attack, wherein, malware is infused into a computer file as an incremental update, but, it could actually be used to insert malware into all or any PDF files present on the system.

Conway further added that this attempt requires computer user to permit the execution of code by approving it through a dialog box. Instead, the attacker could gain a partial control on dialogue box's content, which is displayed to induce the user to open the executable, hence employ social engineering to lure the user to go for executing the malware.

The proof of concept attack developed by Conway uses the same flaws in PDF readers which were recently discovered and blog posted by the Belgium-based security researcher, Didier Stevens, renowned for working on PDF bugs, as reported by Computerworld.com on April 1, 2001.

The researcher demonstrated the way he used a particular feature in Foxit reader as well as Adobe Reader to operate an executable code from a malformed PDF onto a Windows PC. The technique used by him doesn't need an underlying flaw/vulnerability in any of the program to capture the system. The attack just needs to fox users to open up PDF documents.

Further, this kind of attack employing social engineering technique is not new. But, till now, an updated software flaw exploit was required by the hackers to work out a productive attack delivered through PDFs.

When an executable within a PDF starts, a warning is displayed by the ADOBE Reader; however, no such warning is showed by Foxit Reader. Stevens said that he discovered a technique to alter Adobe's warning.

Also, though Adobe did not disclosed the strategy adopted to alleviate this recent issue, but most probably an Adobe Reader future update will bear stricter notifications while handling rooted executables using launch command. Foxit software, to address this issue, has plans to soon ship a patch. The software promotes a substitute to Adobe's Reader.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 4/14/2010