Adobe Reader X stops malicious PDF spam campaign dead in its tracks

Filed Under: Adobe, Malware, PDF, SophosLabs, Spam, Vulnerability

Adobe ReaderA new malicious spam campaign underlines the security benefits of upgrading to the latest version of Adobe Reader - Adobe Reader X.

SophosLabs are currently seeing reports of a low-level attack, spamming out malicious PDF attachments. Sophos products detect the attack as Mal/PDFEx-J.

The dangerous attached files use filenames of the form DD-MM-YYYY-NN.pdf (in other words, a date with a two digit number attached).

The emails typically look like this:

Hello, [recipient email]

It was scanned and sent to you using Xerox WorkCentre Pro.
Please open the attached document.

Sent by: Guest
Number of Images: 1 Attachment
File Type: PDF.
WorkCentre Pro Location: Machine location not set

I took a look at one sample of this family of malware (sha1:ef175336502a0216b4d0830944bc36e8155e0475) in order to see what would happen if I opened it with different versions of Adobe Reader.

When opened by Adobe Reader 8, the PDF displayed nothing, but does attempts to download and run malicious code from a Colombian TLD.

However, when I opened the same file with Adobe Reader X no attack occurs and an error message is displayed:

Adobe X error message

Other variants (also detected as Troj/PDFJs-QB) link download and run a fake anti-virus attack that Sophos intercepts as Mal/FakeAV-EA.

The malicious code is stored within the Producer tag :

Malicious code

Malicious code

and accessed via the this.producer

var qweval=5;
for(var i in this) {
	if (i.indexOf('qwe') != -1) {
		jbka=this[i.replace('qw','')];
	}
}
jbka('cck=this.producer');
xswi=jbka(cck.substr(0,19));
...

Hiding code within other parts of PDF files isn't a new trick and if you want to find out more about PDF threats then look at my earlier article: "PDF security under the microscope: A review of OMG-WTF-PDF".

It appears that an update introduced in Adobe Reader X has broken a fundamental part of this threat. Well done Adobe!

For this reason, I would urge users and system administrators responsible for protecting firms to consider updating to Adobe Reader X as soon as possible.

Last year, my colleague Chet Wisniewski interviewed Adobe security chief Brad Arkin about all matters Adobe, including the then-upcoming Reader X. Take a listen below if you want to hear more about how Adobe is tackling security issues with its products.


(23 August 2010, duration 24:36 minutes, size 11.3MBytes)

You can also download this podcast directly in MP3 format: Chet Wisniewski interviews Adobe's Brad Arkin. All of our past podcasts are available from http://podcasts.sophos.com and on iTunes.

, , , , , , ,

You might like

6 Responses to Adobe Reader X stops malicious PDF spam campaign dead in its tracks

  1. Thu Win · 1175 days ago

    I use foxit reader on my Win7 machine because its light. BTW does foxit reader break the threat? I also use PDF Xchange on my dad's XP machine because it can write on PDF documents without creating a watermark. Can you please test on Foxit and PDF Xchange?

    Thanks!

    • Jon Bessant · 1146 days ago

      This report is based around Adobe Reader X - feedback is that sandboxing is a positive move by Adobe to keep the threats in 'jail'. So why not contact Foxit and PDF Xchange and ask them?

  2. BoilerD331 · 1175 days ago

    Downloaded Adobe X and guess what. They attached a McAfee Security program with the download that I certainly didn't want. Thanks adobe!!!

  3. Pj2 · 1175 days ago

    Since the threat appears to be Javascript-based, does disabling JS help in older versions of Reader?

    It's nice that Reader X is knocking down some of the badware, but I have a notion that people will be running Reader 8.2.x. at least until Windows XP is not longer in use...the upgrade cycle on Reader (especially in Corporate America) is dreadfully slow!

  4. Alex · 1175 days ago

    When you download you can deselect the Mcafee scan. Good that the new reader stopped it, great reporting as always.

  5. Jean Ford · 1152 days ago

    There are vulnerabilities that you don't mention that you may wish to address. They are enumerated here: http://www.zdnet.com/blog/security/adobe-reader-x...
    if you want to see if there's more to be said to your Sophos audience.
    Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.