How do .PDF viruses work? Where is a malware website? - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: How do .PDF viruses work? Where is a malware website?

RayLopez99 wrote :
Quoted text here. Click to load it

Wrong, but I expected no less.

[...]



How do .PDF viruses work? Where is a malware website?

+ User FidoNet address: 1:3634/12.42
 R> For example, if you go to Adobe Preferences, then click on Trust
 R> Manager, you can see the checkboxes (which are usually checked)
 R> "Allow Opening of non-PDF file attachments with external
 R> applications".

 R> If you check that checkbox, then your PDF can launch badware.  It's
 R> that simple.

that's only one vector, ray... it is also one that requires the executable to
already be on your machine... the real problem is the stuff that's embedded
inside the PDF... that stuff can be executed without being written to the
drive...

http://www.sans.org/security-resources/malwarefaq/pdf-overview.php
http://www.sans.org/security-resources/malwarefaq/pidief.php
http://computer-forensics.sans.org/blog/2009/12/14/pdf-malware-analysis

http://www.sans.org/security-resources/blogs

uncle/auntie google is your friend...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How do .PDF viruses work? Where is a malware website?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 DHL> Java scripting is embedded in PDF files because there is more to a
 DHL> PDF than  static display of published data.  

yes, i'm fully aware of all of this... when it first started appearing, i told
many folks then that PDF was going to turn into a big problem because of it...
i have actually collected on a few of the bets made back then ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How do .PDF viruses work? Where is a malware website?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 F> I haven't seen any Java in a PDF, but JavaScript - yes.

yes, that's why i listed both with an or between them... i didn't feel like
taking the time to confirm if it were one, the other, or possibly both ;)

FWIW: yes, i know the two are quite different, too... they only share the four
letters "java" in their names ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How do .PDF viruses work? Where is a malware website?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 R> I see.  Tx Mark Lewis.  From the below, this seems like a small
 R> problem with Adobe Reader.  Like the workaround says, just do this:
 R> "Disabling automatic rendering of PDFs in browsers"  

that's only for another vector... you also have PDFs that arrive via other
means... /all/ of them are vulnerable if the PDFs are specially crafted for
this purpose...  

 R> (not sure how but I'll Google Aunt Bing!)  

that's an interesting use of the phrase :)

 R> .. User opens a malicious PDF (Document loaded into PDF Viewer) 2.
 R> An embedded script is set to execute "On Open"
 R> 3. Script extracts and decodes embedded malware
 R> -- and / or --
 R> 4. Script downloads malware from an internet site
 R> 5. New malware is installed on the victim's system

 R>  One very powerful augment to this defensive approach is the
 R> implementation of application controls to limit potentially
 R> malicious PDF Reader behaviors.  Examples of application controls
 R> include:

 R>     Disabling JavaScript support within the PDF Reader

this is what i've done and continue to do because it gets re-enabled on some
systems i manage... so each update of adobe reader leads to an audit of the
settings...

 R>     Disabling automatic rendering of PDFs in browsers

this can lead to problems in some cases with some users and their failure to
understand the problem as compared to their expectations...

 R>     Block PDF Readers from accessing the filesystem and network
 R> resources using Host IPS, Process Control, or Process Whitelisting
 R> Technology  

 R> While application controls can be very effective, it may brake some
 R> desirable user functionality and may prevent the Reader from
 R> patching itself.  Both of these obstacles can be overcome but care
 R> should be taken when imposing these controls.

exactly... especially in business environments where ignorance abounds...

FWIW: there are other PDF readers available but they may be vulnerable in other
ways...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How do .PDF viruses work? Where is a malware website?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 F> ....and by far not the most common.

 F> Most I've seen don't have embedded files or attachments.

exactly... they've got obfuscated java or javascript in them... why in deity's
name they put that ability into a document display tool is quite beyond me...
in any case, the javaschit jumps around and bypasses the sandbox perimeter to
get outside and pull in the malware they chose off of external sites... once
one of those is in and operational, all bets are off...

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site Timeline