For the last couple of weeks, we have been seeing a wave of malicious PDFs crafted to exploit security flaws in PDF reader software. For the last two weeks alone, we have detected more than 25 000 attacks involving this type of file. Attackers are exploiting two different vulnerabilities in Adobe Acrobat Reader to execute arbitrary code on victim computers and install malware. The two vulnerabilities are described in details here: CVE-2007-5020 and CVE-2007-5659. Versions of Adobe Acrobat Reader higher than 8.1.1 are not vulnerable to these attacks. We have seen malicious PDFs being distributed as email attachments but also in exploitation packs like NeoSploit that use this file as another way to attack web browsers.
Malware authors have been fast in introducing multiple layers of obfuscation in PDF files to try to evade antivirus detection. The first layer of obfuscation is directly in the PDF file. According to the specification, parts of the file can be compressed using zlib compression. Malware authors use this compression to hide their javascript from direct inspection. The javascript is then responsible of checking the reader's version, building a shellcode, placing everything in memory and calling one of the vulnerable function. In a majority of cases, the shellcode is also obfuscated using another layer of javascript obfuscation. More information on obfuscation used in PDFs can be found in a blog post from Websense's research team.
ESET NOD32 Antivirus detects PDF threats as PDF/Exploit.Pidief. The final payload of these attacks is, most of the time, to install a fake antivirus like XP Antivirus which is detected as Win32/Adware.Antivirus2008 by our antivirus.
Pierre-Marc Bureau
Senior Researcher