Malware inside PDF Files

Published: 2010-07-04
Last Updated: 2010-07-04 18:45:57 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
3 comment(s)

There is an interesting trend of malware: Javascript Malware inside PDF files. Many people have not updated their programs to read PDF files (I have seen personally people with Adobe Reader 5 on their computers) and so they are exposed to old exploits.

There is an interesting analysis posted by Kimberly (http://stopmalvertising.com/malware-reports/analysis-of-wzzc_pdf-exploitjspdfkacnk) that shows a Obfuscated Javascript inside a PDF file taking advantage of CVE-2008-2992 and CVE-2009-0927. The Wepawet service (http://wepawet.iseclab.org) shows possible malware inside PDF files.

Please remember: if a new version for a software goes out and it does not affect your operation, please use it. It will help you to prevent future headaches.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

3 comment(s)

Comments

"Java Malware inside PDF files"
"Obfuscated Javascript inside a PDF file"

Do you mean Java, or JavaScript, or both? (There is a difference.)
ooops, sorry. Got a typo. It is Javascript. Thanks!!
I know a number of sites that will not upgrade from Acrobat Reader V5 because that was the last version before "Adobe Went Evil" as they put it; the newer versions added upgraders, scripting, DRM, lots of 'connections' into the registry or other system guts, or other features that were considered intrusive/invasive, not compatible with the sites' security policies, and/or the cause of considerable system stability problems (there were some really bad versions back then...). Even with the recent problems, they might consider Acrobat 10.x to be more malware than the malware it is supposed to protect against.

For myself I use Foxit or xPDF and try to stay up to date, but haven't used Reader in a few years...
Diary Archives