Adobe Reader X stops malicious PDF spam campaign dead in its tracks


Adobe ReaderA new malicious spam campaign underlines the security benefits of upgrading to the latest version of Adobe Reader – Adobe Reader X.

SophosLabs are currently seeing reports of a low-level attack, spamming out malicious PDF attachments. Sophos products detect the attack as Mal/PDFEx-J.

The dangerous attached files use filenames of the form DD-MM-YYYY-NN.pdf (in other words, a date with a two digit number attached).

The emails typically look like this:

Hello, [recipient email]

It was scanned and sent to you using Xerox WorkCentre Pro.
Please open the attached document.

Sent by: Guest
Number of Images: 1 Attachment
File Type: PDF.
WorkCentre Pro Location: Machine location not set

I took a look at one sample of this family of malware (sha1:ef175336502a0216b4d0830944bc36e8155e0475) in order to see what would happen if I opened it with different versions of Adobe Reader.

When opened by Adobe Reader 8, the PDF displayed nothing, but does attempts to download and run malicious code from a Colombian TLD.

However, when I opened the same file with Adobe Reader X no attack occurs and an error message is displayed:

Adobe X error message

Other variants (also detected as Troj/PDFJs-QB) link download and run a fake anti-virus attack that Sophos intercepts as Mal/FakeAV-EA.

The malicious code is stored within the Producer tag :

Malicious code

Malicious code

and accessed via the this.producer

var qweval=5;
for(var i in this) {
	if (i.indexOf('qwe') != -1) {

Hiding code within other parts of PDF files isn’t a new trick and if you want to find out more about PDF threats then look at my earlier article: “PDF security under the microscope: A review of OMG-WTF-PDF”.

It appears that an update introduced in Adobe Reader X has broken a fundamental part of this threat. Well done Adobe!

For this reason, I would urge users and system administrators responsible for protecting firms to consider updating to Adobe Reader X as soon as possible.

Last year, my colleague Chet Wisniewski interviewed Adobe security chief Brad Arkin about all matters Adobe, including the then-upcoming Reader X. Take a listen below if you want to hear more about how Adobe is tackling security issues with its products.

(23 August 2010, duration 24:36 minutes, size 11.3MBytes)

You can also download this podcast directly in MP3 format: Chet Wisniewski interviews Adobe’s Brad Arkin. All of our past podcasts are available from and on iTunes.