Gone are the days when PDF documents enjoyed being generally considered safe.
Ever since last year’s much publicized PDF exploit, PDFs are no longer considered safe. I realize I might be sounding a little dramatic here, but don’t get me wrong, the threat is very real and malicious.
One example of this threat is Troj/PDFex-E. Troj/PDFex-E is part of a targeted attack on South Korean politics. The PDF document contains an article snippet from The Economist Intelligence Unit discussing the political career of South Korea’s 16th President, Roh Moo-hyun.
The PDF document drops a nasty shellcode detected as Mal/JSShell-A. It also drops and executes a keylogger which periodically sends the collected log file to a remote server.
Adobe has issued a security alert about this exploit on Feb 7th, 2008. Troj/PDFex-C which exploited these security vulnerabilities was detected by Sophos on Feb 11th 2008, a mere 4 days after Adobe’s security alert.
Troj/PDFex-E’s circulation today clearly shows that probably there is a large population of unpatched Adobe Acrobat & Adobe Reader 8.1 installations out there which are falling victims to these maliciously crafted PDF documents.
It can be safely assumed that exploited PDFs like Troj/PDFex-E won’t be the last of its kind. So all we can do is keep our anti-malware detection up-to-date, and use some common sense.