In early 2010, PDF exploits were by far the most common malware tactic, representing more than 47 percent of all Q1 infections tracked by Kaspersky Labs. By mid-year, PDF exploits had fallen to 30 percent, overtaken by Java. However, PDF remains the world’s second most popular target.
For those running PDF software – lead by Adobe Reader and its commercial counterpart Acrobat – these attacks have triggered a seemingly nonstop stream of updates. Why do malware writers love to exploit PDF and how you can avoid becoming a casualty of this on-going arms race?
- Low-hanging fruit: One of the biggest reasons that PDF exploits blossomed in 2009 was Adobe Reader’s ubiquity. According to Kaspersky researcher Roul Schouwenberg, hardening techniques like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) had been rolled into Windows, making OS exploits less attractive. Malware writers searching for more fertile fields seized upon PDF as a wildly popular monoculture ripe for attack. Just about every desktop has a PDF reader installed — usually Adobe Reader or Acrobat. This enormous pool of potential victims translates into a financially lucrative attack target worthy of investment in malware development.
- Push-button exploits: In reality, as malware kits that exploited PDF vulnerabilities became readily available, little effort or expense was actually needed to tap this opportunity. According to M86 Security Labs, malware kits such as LuckySploit, CrimePack, and Fragus can be purchased for as little as $100 — and commonly top out around $1,000. This trend started with MPack but really ramped up in 2008; today, most new malware kits include Adobe Flash, Java classes and PDF-based exploits. Those kits made it trivial to create obfuscated automated attacks that leveraged Adobe Reader’s many well-known code vulnerabilities.
- Large attack surface: PDF is an industry standard portable document format, implemented by many free and commercial programs. But Adobe’s Reader and Acrobat products are driven by an extremely large and complex code base which includes numerous proprietary extensions. This translates into functionality and flexibility — characteristics that have made PDF a “universal language” for document exchange. But it also means an extremely large attack surface that has proven difficult for Adobe and anti-malware vendors to defend. One example: Adobe Reader supports embedded Javascript objects — yet another foothold that malware writers can use to gain traction.
- Slow moving mitigation: According to a Microsoft Security Intelligence Report, three Adobe Reader vulnerabilities — patched in May 2008, November 2008 and March 2009 — accounted for more than 46 percent of all browser-based attacks. Vulnerabilities such as these were so widely exploited because, until mid-2010, Adobe did not have an auto-update infrastructure. Soon after an updater was released, PDF exploits began to decline. However, they did not disappear because 1) users must opt into auto-updates, and 2) updates are only checked for the installed version. Thus, users still running Adobe Reader 7.0 or 8.0 may think they are current, having enabled auto-update and installed all available patches. But they should really be moving to Reader X to avoid exploits that succeed only against older versions.
- The race is still on: During the past year, Adobe has taken significant steps to reduce PDF exploitation. In addition to auto-updates, Adobe developed an Adobe Reader Protected Mode – a secure sandbox in which PDFs can be opened for display, handcuffing malware calls to other applications and using policy to determine actions that are automatically allowed or blocked. Unfortunately, users can defeat these protections by clicking “yes.” Although users may now realize that PDFs are used for phishing, many still don’t think of PDFs as harboring malware. And attackers continue to find new holes to exploit and new ways to evade detection – for example, return-oriented programming (ROP) and stolen digital certificates have played roles in recent PDF exploits.
Unlike other attack vectors that administrators know how to police through scanning and filtering, reducing risk of PDF exploitation can be challenging. Few businesses can afford to simply block PDF attachments and downloads — legitimate PDFs are just far too prevalent and ingrained in our business practices. However, employers can take steps defend themselves against known exploits.
Start by upgrading every desktop or laptop to the latest version of Adobe Reader or Acrobat, enabling auto-update, and configuring settings — for example, disabling Javascript. Some organizations may consider using alternative PDF readers; doing so might reduce attack surface but raises concerns about freeware reader legitimacy, safety, and interoperability. Monitor PDF reader vulnerabilities to ensure priority patches are applied in a timely fashion — monthly isn’t good enough. Scan stored and downloaded PDFs for malware before they can be opened. Finally, educate users — especially executives and staff often targeted by spear phishing — about the risks posed by PDFs.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.
