Adobe Mulls Changes To Reader Amid Malware Threat

According to Websense, the malicious PDFs being spammed out by attackers are leveraging the launch action feature used by PDF viewers such as Adobe Reader and Foxit Reader.

Adobe Systems has not made a decision whether to change its approach to the launch action feature in Adobe Reader now being abused in a malware attack.

A spokesperson for Adobe told eWEEK Friday the company is still evaluating if it will do anything to address a design issue that is being roped into an attack campaign infecting users with the Zeus Trojan. According to Websense, attackers have been sending e-mails with a malicious PDF file. The attack is similar to a technique security researcher Didier Stevens disclosed roughly two weeks ago that used the launch action function to launch an embedded executable in a PDF file.

Powerful Functionality Carries Potential Risks

Stevens’ proof-of-concept triggered a warning dialog in Adobe Reader, and Foxit Software updated its Foxit Reader recently to provide a warning as well. According to Adobe spokesperson Wiebke Lips, the warning provided by the company’s software contains “strong wording advising users to only open and execute the file if it comes from a trusted source.”

“This is an example of powerful functionality relied on by some users that also carries potential risks when used incorrectly,” Lips has said.

While the attack reported by Websense is similiar to Stevens, it appears technically to use a Metasploit module developed last year. “The Metasploit Framework has had support for the PDF Launch method since August of 2009, when Colin Ames of Attack Research released the module as part of his Black Hat USA presentation,” said HD Moore, founder of the Metasploit project and chief security officer at Rapid7. “The technique to hide the malicious command was disclosed by Didier Stevens when he independently found this feature in late March.”

According to Websense, the attack works this way: the user receives a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks them to save a file called Royal_Mail_Delivery_Notice.pdf, which is actually a Windows executable.

“The file you would be saving is the hidden embedded Trojan which then launches automatically,” explained Carl Leonard, senior research manager at Websense Security Labs.
Once the malicious PDF launches the dropped file and takes control of the computer, it connects to an attack server in China, he said.

Data-Stealing Zeus Trojan

Zeus is best known as a data-stealing Trojan targeting online banking information. It is widely available on hacker forums, with variants selling from a few hundred to several thousand dollars.

While Adobe considers whether or not it will adjust the launch action feature or leave it as is, there are a few steps users concerned about the issue can take to protect themselves.
“There are a three simple things home users can do to protect themselves,” Moore advised. “The first and foremost is to ensure that their copy of Adobe Reader is updated with the latest patches. The Launch action requires user confirmation, but many of the previous Reader vulnerabilities required no action at all on the user’s side.”

“The second thing is to disable Javascript within Adobe Reader…(and) the final thing is to change the Trust settings within Adobe Reader to prevent external, non-PDF attachments from being launched,” he said.