Intrepidus Group

PDF Ownage: It is getting ugly out there

Posted: April 19, 2010 – 1:13 pm | Author: | Filed under: pdf

As previously documented the PDF format is full of fun items, like the /Launch action, that allows the execution an arbitrary binary to be executed. Within two weeks of Didier Steven’s article about his PoC a number of researchers (myself included) and malware authors have been getting in on the act. The current news is that the Zeus botnet is being used to push a malicious PDF that attempts to abuse /Launch actions.

There are several pieces of information regarding this PDF that are important.  Looking closer it appears the PDF used by the Zeus botnet is not using the latest and greatest techniques to exploit the PDF platform.  The current incarnation of the Zeus PDF relies on JavaScript and is actually not abusing everything they could to gain a higher success rate. Simply disabling JavaScript would render this PDF ineffective. They are also using the standard file attachments section of the PDF specification to attach their malicious binary payload. Most quality antivirus and mail gateway products know to check for “standard” attachments inside of PDF documents.  They are not effectively social engineering the dialog box for the launch action, either. Another look at this malicious PDF and how vast and unexplored some parts of the PDF specification are can be read about over here at The only interesting aspect of this malicious PDF is that they in fact used a launch action.  For more information on the current attack see this description of the malicious PDF the Zeus botnet is pushing.

I would like to clear the air a bit. There seems to be a bit of confusion out there regarding what Didier Stevens actually discovered in his research (and what we developed a proof of concept for). The /Launch /Action “vulnerability” has been known for a while. It was discussed as early as 2008 at BlackHat Europe (page 12).  So the concept of a launch action that runs an executable has been well known. There are two critical “innovations” to understand the new threat. The first is controlling the contents of the dialog box and social engineering the user. The second is using a non standard method of embedding an executable that is not a part of the PDF spec. These are two separate issues, that combined, can allow this new breed of PDF documents to transparently slip through antivirus gateways and trick users more easily. Things get a little more out of control when it turns out Foxit reader launched programs silently without alerting the user, which was an undiscovered vulnerability. However, the idea itself has been in the spec for some time and has been discussed in the security community.

How to solve the problem of this attack and others like it will be hard. This malicious PDF and others like it are important, because it isn’t really possible to simply patch these issues if a PDF reader is going to support the PDF “platform”. Many real applications rely on these platform features. The question is finding a balancing act to keep these useful features useful, but not a threat to the average use case for a PDF document. The average use case is, by far, just viewing a PDF with no active content, embedded media or JavaScript living inside of it. It is becoming clear that most of these features should simply be disabled or not compiled into the binary that most users get. It may harm the utility of the Adobe PDF platform some, but most users only need a good light weight PDF reader that does nothing more than read PDFs. I understand Adobe’s position that PDF is really a platform for them at this point. Shipping a “dumbed down” PDF reader that could only render and display PDFs would not create an install base for the platform. However, it would give users what they really need and want in many cases (a good PDF reader) and dramatically decrease the attack surface for the PDF format.

Both comments and trackbacks are currently closed.

One Trackback

  1. By Week 16 in Review – 2010 | Infosec Events on April 26, 2010 at 1:37 am

    [...] PDF Ownage: It is getting ugly out there – he current news is that the Zeus botnet is being used to push a malicious PDF that attempts to abuse /Launch actions. [...]


This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24731 items have been purified.