Another Sunday, another exploited PDF

PDF iconGone are the days when PDF documents enjoyed being generally considered safe.

Ever since last year’s much publicized PDF exploit, PDFs are no longer considered safe. I realize I might be sounding a little dramatic here, but don’t get me wrong, the threat is very real and malicious.

One example of this threat is Troj/PDFex-E. Troj/PDFex-E is part of a targeted attack on South Korean politics. The PDF document contains an article snippet from The Economist Intelligence Unit discussing the political career of South Korea’s 16th President, Roh Moo-hyun.

The PDF document drops a nasty shellcode detected as Mal/JSShell-A. It also drops and executes a keylogger which periodically sends the collected log file to a remote server.

Adobe has issued a security alert about this exploit on Feb 7th, 2008. Troj/PDFex-C which exploited these security vulnerabilities was detected by Sophos on Feb 11th 2008, a mere 4 days after Adobe’s security alert.

Troj/PDFex-E’s circulation today clearly shows that probably there is a large population of unpatched Adobe Acrobat & Adobe Reader 8.1 installations out there which are falling victims to these maliciously crafted PDF documents.

It can be safely assumed that exploited PDFs like Troj/PDFex-E won’t be the last of its kind. So all we can do is keep our anti-malware detection up-to-date,  and use some common sense.