Recently, Marian and Andrei presented a paper at the CARO Workshop about PDF vulnerabilities and exploits related to them.
As we presented in our latest Security Intelligence Report, there was an increase in the use of these exploits, and the trend keeps going on. Since the beginning of the year, we have received over five thousand different samples taking advantage of various PDF vulnerabilities. Even though updates for these vulnerabilities are available, some for more than a year, people remain vulnerable despite having the solution at hand. And what is more important, the malicious samples work and people still get infected because they have not protected their systems as they should. The chart below shows the evolution by month which shows how things keep trending up:
An example of how an attack takes place would be like this: a website hosts a specially crafted PDF document, which contains the exploit code. Someone visits the page and the browser opens the PDF document, executing the PDF application in order to show its content. If the version of the PDF application in the user’s system is vulnerable, the obfuscated exploit code (e.g. a variant of Win32/Pdfjsc) is executed and downloads an awful piece of malware. This downloaded malware can obviously change from a password stealer to any other specimen the bad guys want. Some of the cases we have seen include members of families like Win32/Vundo, Win32/Renos, etc...
Nowadays, most applications have the option to update automatically. Let’s take advantage of it and have a safer computer experience. For more information on how to update your Adobe software, visit the Adobe security bulletin page.
Andrei Saygo, Marian Radu & Enrique Gonzalez