Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Malware inside PDF Files - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware inside PDF Files

There is an interesting trend of malware: Javascript Malware inside PDF files. Many people have not updated their programs to read PDF files (I have seen personally people with Adobe Reader 5 on their computers) and so they are exposed to old exploits.

There is an interesting analysis posted by Kimberly (http://stopmalvertising.com/malware-reports/analysis-of-wzzc_pdf-exploitjspdfkacnk) that shows a Obfuscated Javascript inside a PDF file taking advantage of CVE-2008-2992 and CVE-2009-0927. The Wepawet service (http://wepawet.iseclab.org) shows possible malware inside PDF files.

Please remember: if a new version for a software goes out and it does not affect your operation, please use it. It will help you to prevent future headaches.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
"Java Malware inside PDF files"
"Obfuscated Javascript inside a PDF file"

Do you mean Java, or JavaScript, or both? (There is a difference.)
Anonymous
ooops, sorry. Got a typo. It is Javascript. Thanks!!
Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
I know a number of sites that will not upgrade from Acrobat Reader V5 because that was the last version before "Adobe Went Evil" as they put it; the newer versions added upgraders, scripting, DRM, lots of 'connections' into the registry or other system guts, or other features that were considered intrusive/invasive, not compatible with the sites' security policies, and/or the cause of considerable system stability problems (there were some really bad versions back then...). Even with the recent problems, they might consider Acrobat 10.x to be more malware than the malware it is supposed to protect against.

For myself I use Foxit or xPDF and try to stay up to date, but haven't used Reader in a few years...
Manuel Humberto Santander Pelaacuteez
1 Posts

Sign Up for Free or Log In to start participating in the conversation!