The rise in the exploitation of old PDF vulnerabilities

Exploitation of software vulnerabilities continues to be a  common way to infect computers with malware. Leveraging exploits allows malware authors to infect, disrupt, or take control of a computer without the user’s consent and typically without their knowledge. Exploits target vulnerabilities in operating systems, web browsers, applications, or software components that are installed on the computer.

Figure 1 below shows the prevalence of exploits targetting document readers and editors detected by Microsoft antimalware products each quarter from 3Q11 to 4Q12, by number of unique computers affected.

Figure 1: Document readers and editors exploit prevalence detected by Microsoft antimalware products

It was interesting to see that exploits that target vulnerabilities in document readers and editors rose sharply in 4Q12. This was primarily due to increased exploitation of vulnerabilities in Adobe Reader and Adobe Acrobat software, as shown in Figure 2.

Figure 2: Computers affected with exploits for document readers and editors

Win32/Pdfjsc was the significant contributor to the rise in 4Q12. It is a family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. These files contain a JavaScript that executes when the file is opened. The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware. Files detected as Win32/Pdfjsc may arrive in the system when a user visits a compromised or malicious webpage, or opens a malicious PDF email attachment.

The following are some of the vulnerabilities whose exploits are detected as Win32/Pdfjsc:

Out of all the vulnerabilities covered by this family, the most detections in 4Q12 were for exploits against the vulnerability discussed in CVE-2010-0188. This was primarily because exploits for CVE-2010-0188 are used by a number of exploit kits, including Blacole.

These are the top variants reported within the Win32/Pdfjsc family for 4Q12. They all detect PDF files that contain malicious JavaScript exploting the vulnerability discussed in CVE-2010-0188:

The exploits commonly use any of these file names:

  • pdf_new[1].pdf
  • auhtjseubpazbo5[1].pdf
  • avjudtcobzimxnj2[1].pdf
  • pricelist[1].pdf
  • couple_saying_lucky[1].pdf
  • 5661f[1].pdf 7927
  • 9fbe0[1].pdf 7065
  • pdf_old[1].pdf

The file names change very often so please exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

CVE-2010-0188 was fixed by Adobe in a security update released on February 16, 2010 (Adobe Security Bulletin APSB10-07). The following versions are vulnerable:

  • Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX
  • Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh

This vulnerability is still being exploited widely even though a fix has been available for over 2 years. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from this article:

Here are some URL patterns for websites that serve these exploits:

  • /Url/deemed_registers.php?mlnzk=0709023634&gkytzxb=47&isb=030a37380a0a0a33360b&fvl=02000200020002
  • /nine/convince_measuring.php?cjrucx=1h:1k:1o:1m:1l&bumxdow=w&xuufri=1g:1h:2v:1i:32:2v:1o:1f:1k:30&qqlhkw=1f:1d:1f:1d:1f:1d:1f
  • /links/dollar-knowledge-editors.php?cdkt=0536340702&ywem=4b&pcjrou=3507083705040b050835&mafard=02000200020002
  • /fine/genuine_purposes.php?qlxf=2v:1i:1g:1l:1j&vpnkgwp=38&ssall=33:1f:31:32:1g:1n:1m:1g:1f:1g:1p:1p:2v:1l:1h:1n:31:2v:1m:31:2v:1g:1p:1p:32:1l:31:1i:
  • /flags/lady_fill.php?ypgu=3434343534&bgchvwrb=4b&jwl=35090536080b043604090c0c38333738373506350609&sna=02000200020002

Exercise caution when you see such patterns in the links to webpages especially if you receive them from unknown sources or if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of.

Tanmay Ganacharya

Comments (1)

  1. luci says:

    thanks from information

Skip to main content