Sophos Cloud Optix
A new malicious spam campaign underlines the security benefits of upgrading to the latest version of Adobe Reader – Adobe Reader X.
SophosLabs are currently seeing reports of a low-level attack, spamming out malicious PDF attachments. Sophos products detect the attack as Mal/PDFEx-J.
The dangerous attached files use filenames of the form DD-MM-YYYY-NN.pdf (in other words, a date with a two digit number attached).
The emails typically look like this:
Hello, [recipient email]
It was scanned and sent to you using Xerox WorkCentre Pro.
Please open the attached document.Sent by: Guest
Number of Images: 1 Attachment
File Type: PDF.
WorkCentre Pro Location: Machine location not set
I took a look at one sample of this family of malware (sha1:ef175336502a0216b4d0830944bc36e8155e0475) in order to see what would happen if I opened it with different versions of Adobe Reader.
When opened by Adobe Reader 8, the PDF displayed nothing, but does attempts to download and run malicious code from a Colombian TLD.
However, when I opened the same file with Adobe Reader X no attack occurs and an error message is displayed:
Other variants (also detected as Troj/PDFJs-QB) link download and run a fake anti-virus attack that Sophos intercepts as Mal/FakeAV-EA.
The malicious code is stored within the Producer tag :
and accessed via the this.producer
var qweval=5;
for(var i in this) {
if (i.indexOf('qwe') != -1) {
jbka=this[i.replace('qw','')];
}
}
jbka('cck=this.producer');
xswi=jbka(cck.substr(0,19));
...
Hiding code within other parts of PDF files isn’t a new trick and if you want to find out more about PDF threats then look at my earlier article: “PDF security under the microscope: A review of OMG-WTF-PDF”.
It appears that an update introduced in Adobe Reader X has broken a fundamental part of this threat. Well done Adobe!
For this reason, I would urge users and system administrators responsible for protecting firms to consider updating to Adobe Reader X as soon as possible.
Last year, my colleague Chet Wisniewski interviewed Adobe security chief Brad Arkin about all matters Adobe, including the then-upcoming Reader X. Take a listen below if you want to hear more about how Adobe is tackling security issues with its products.
(23 August 2010, duration 24:36 minutes, size 11.3MBytes)
You can also download this podcast directly in MP3 format: Chet Wisniewski interviews Adobe’s Brad Arkin. All of our past podcasts are available from http://podcasts.sophos.com and on iTunes.
I use foxit reader on my Win7 machine because its light. BTW does foxit reader break the threat? I also use PDF Xchange on my dad's XP machine because it can write on PDF documents without creating a watermark. Can you please test on Foxit and PDF Xchange?
Thanks!
This report is based around Adobe Reader X – feedback is that sandboxing is a positive move by Adobe to keep the threats in 'jail'. So why not contact Foxit and PDF Xchange and ask them?
Downloaded Adobe X and guess what. They attached a McAfee Security program with the download that I certainly didn't want. Thanks adobe!!!
Since the threat appears to be Javascript-based, does disabling JS help in older versions of Reader?
It's nice that Reader X is knocking down some of the badware, but I have a notion that people will be running Reader 8.2.x. at least until Windows XP is not longer in use…the upgrade cycle on Reader (especially in Corporate America) is dreadfully slow!
When you download you can deselect the Mcafee scan. Good that the new reader stopped it, great reporting as always.
There are vulnerabilities that you don't mention that you may wish to address. They are enumerated here: http://www.zdnet.com/blog/security/adobe-reader-x…
if you want to see if there's more to be said to your Sophos audience.
Thanks.