Attack of the PDF Documents:How Adobe’s PDF Format has becomeone of the top carriers of malwareby Jim Rapoza, Independent ...
A good path to take is to start to understand how PDF-        be sent through email, loaded onto both sketchy andbased mal...
Other attacks can be even more pernicious. For example,       also constant pop-up windows that tell users that theyone re...
detect and stop many different forms of attack, along with    Hopefully, Adobe working together with its partners atemail ...
Upcoming SlideShare
Loading in …5

Attackofthe pdf documents-how_adobe_pdf_format_has_become_one_of_the_carriers_of_malware


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Attackofthe pdf documents-how_adobe_pdf_format_has_become_one_of_the_carriers_of_malware

  1. 1. Attack of the PDF Documents:How Adobe’s PDF Format has becomeone of the top carriers of malwareby Jim Rapoza, Independent Security Technology AnalystQuick quiz. What is one of the predominant ways that your computers and ITsystems can become infected with malware?Did you guess security holes in your web browser? Vulnerabilities in theoperating system itself? Microsoft Outlook and other email systems? How aboutthe classic method of downloaded executables and programs that are infectedwith viruses?While all of these are good guesses--and are still Since PDF has become so common on the Internet, withsignificant sources of malware attacks--the correct answer nearly every business using it as the document format ofis PDF documents. choice for delivering forms, articles, and whitepapers, the security problems and malware potential of PDF are farThat’s right. A simple, seemingly inoffensive PDF (which too tempting for the bad guys to ignore.stands for Portable Document Format) has become oneof the most common methods for infecting systems To some, a solution would be to avoid PDF files. Butwith malware. To many people it seems strange that a PDF has become too instrumental to business anddocument file can be a payload for malware. After all, communication to simply ignore it. Another route wouldit’s just a document. It isn’t a program or some kind of be to turn off the scripting capabilities in PDF, whichexecutable. How can it be used to infect a computer? As a are an entry point for malware code. However, theseresult of this rationale, many users remain ignorant of the capabilities, provide features for collaboration andrisks that these document files represent. document rights management and are very valuable to many users. Therefore, simply turning off scripting is not aThe problem is that PDF documents are no longer “just a valid solution.document.” The PDF standard now supports JavaScript,along with tighter connections into user systems from theAdobe Reader program. This makes it very easy for viruswriters to utilize scripting within PDF documents andsecurity holes in the Reader software to load malwarecode and surreptitiously deliver this code onto computers.A Sophos whitepaper - December 2010 1
  2. 2. A good path to take is to start to understand how PDF- be sent through email, loaded onto both sketchy andbased malware spreads, how it attacks systems, and perfectly legitimate websites, and appear in searchhow it can be prevented. Forewarned is forearmed, and results.understanding the threat of PDF malware is a solid steptowards protecting yourself and your business from being With the majority of end users ignorant of the threatinfected. that PDF files can represent, this has created a “perfect storm” that has made it possible for PDF-based malware to spread widely and quickly. Even relativelyThe Growing Threat of PDF-based Malware savvy users, who would be suspicious of a programPDF documents were not always such an obliging vehicle downloaded from an unknown site or attached tofor malware transportation. Once upon a time, PDF files an email, will often go right ahead and open a PDFwere simply documents that were popular for business document. And, without knowing it, they will haveuse. PDF documents would display in the same way for infected their system.everyone who viewed them, and they provided suretythat the document was unaltered from what the creatorintended. How PDF-based Malware Attacks All PDF-based malware share the same delivery methodBut, starting in the 1990s, users began to demand and in that they infect your system by hiding inside a PDFexpect more out of document formats such as PDF. document. However, the methods that they use toThey needed richer document controls, more varied attack and infect your system are as varied as virusessecurity and rights management options, capabilities for themselves.collaborative editing of documents, and the ability for PDFdocuments to interact directly with computer systems and In many cases, the malware hidden in the PDFother applications such as office suites. document uses scripting to make hidden calls to external malware on the Internet, which is then quietlyVendors such as Adobe were happy to meet the needs downloaded and installed on the system. In theseof their users. Soon, scripting and other interactive situations the delivered malware can take the form ofcapabilities were built into PDF and the Reader program; nearly anything--from rootkits that infect systems to thethis added many new powers and features for the core, to botnet software that turns user systems intodocument format. But this also made it possible for zombies used for spreading malware and spam.malicious scripts to be executed from PDF files, or evenfor malware to be embedded directly into documents. It is also possible for malicious code to be hidden directly inside the PDF file, and in this case the scriptsCombine this with the presence of PDF files on a will simply install and run the malware directly onto themajority of websites and you have a recipe for malware user system.infections. Virus writers have used the holes and scriptingcapabilities of PDF to infect files. These files can thenA Sophos whitepaper - December 2010 2
  3. 3. Other attacks can be even more pernicious. For example, also constant pop-up windows that tell users that theyone recently discovered form of PDF malware used won’t be able to properly use the document with scriptingsecurity weaknesses in PDF and Adobe Reader to make turned off, and this may cause them to turn scripting backdirect system calls, even to the point of launching dialog on.boxes. Many users automatically click “OK” in any dialogbox they encounter, and this launches the malware. In addition, turning off scripting doesn’t prevent every form of PDF-based malware. For example, the form of attack mentioned earlier--where direct system calls werePrevention used to launch dialog boxes that triggered infection--What steps can users take today to protect their systems works even when scripting is disabled.from PDF-based malware and prevent it from infectingtheir systems? There are some techniques being worked on now that could offer better protection from PDF-based malware inUnfortunately, there is currently no ironclad way that the near future.this form of malware can be completely stopped. Butthere are a number of steps that can be taken to prevent For example, Adobe is taking advantage of Microsoftmany types of attacks and give users a fighting chance to Practical Sandboxing. This feature is used by the IEprotect their systems. Protected Mode in Vista and Windows 7 to wall off code found in PDF, and restricts the ability to access andThe ideal solution would be for Adobe to completely fix infect other areas of the operating system. There is alsothe security issues in PDF and Reader that are being some work being done on using virtual machines to keepexploited by virus writers. To their credit, Adobe has been Adobe PDF content from being able to serve as a malwareregularly updating and patching Reader to try to combat delivery vehicle for the underlying operating system.malware. However, for now, some of the best prevention techniquesBut not every user upgrades their software regularly. And, are the same ones that businesses and individuals use tothe writers of PDF-based malware have been releasing protect themselves from any form of and inventive methods of attack faster than Adobecan patch holes. These include making sure that all of your software is patched and up-to-date. This includes your operatingAnother suggestion is to turn off scripting within your PDF system, web browser, PDF reader application and yourreading software. This will prevent some malware from anti-virus and security programs.infecting your system, however, there are drawbacks. The right security applications also provide a good layerFirst, scripting does not always stay turned off when a of protection against PDF-based malware. These includeuser upgrades or installs new reader software. There are desktop anti-virus and security applications that canA Sophos whitepaper - December 2010 3
  4. 4. detect and stop many different forms of attack, along with Hopefully, Adobe working together with its partners atemail and network gateway platforms that can often stop Microsoft and security firms will solve the problems thatinfected PDF files before they cross over to end-user PCs. make PDF files such effective vehicles for delivering malware. Then, the threat of this form of malware can be-But, one of the best forms of protection is simply -if not eliminated--at least greatly mitigated.awareness and caution. Being aware that PDF documentscan be used to spread malware and being vigilant and Until then, we all must take steps to protect our systemscautious about downloading or receiving PDF files is a and businesses against being infected by malwaregood first step towards preventing an infection. delivered through PDF files. Because somewhere among those safe and necessary articles, forms, business receipts, and contracts, is a piece of hidden malwareConclusion waiting to strike.PDF documents aren’t going away, and they shouldn’t.When servers, email, web browsers and operatingsystems were used as attack vectors for malware, no onesuggested to simply stop using them.But at present, PDF files have become a very commonway for malware to be delivered, and users need to beaware of these attacks and be prepared to stop them. To learn more about Sophos and to evaluate any of our products free for 30 days, please visit us at www.sophos.comBoston, USA | Oxford, UK© Copyright 2010. Sophos. All rights reserved.A Sophos whitepaper - December 2010 4All trademarks are the property of their respective owners.