Pdf readers are commonly used, and so far this year, they have been a highly abused third party plugin. Tens of thousands of malcrafted pdf exploits have been prevented from running by ThreatFire on our community systems so far this year. This information is being presented to encourage our users to upgrade their pdf reader software to the latest version and remind them of the versions available.
Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.
Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):
Reader v9 less than 1%
Reader v8 48%
Reader v7 50%
We also see a number of banking/identity password stealers delivered via malcrafted pdf files, with Zbot leading the charge, followed by a variety of Hupigon stealers and FakeAV.
This morning, we witnessed v9 exploited on multiple users’ desktops by malcrafted pdf files with the shellcode downloading a gaming password stealer from hxxp:(slashslash)202(dot)67(dot)215(dot)110(slash)caonimabi.exe. This link is live and serving malware — DO NOT download and run it.
So what techniques are employed most frequently in the shellcode?
The shellcode is generally around 215 bytes long, following a lengthy nop sled. UrlDownloadToFile, ShellExecute and WinExec are the most commonly implemented api calls in the malicious pdf based shellcode that we’ve examined.
If you have installed pdf reader software on your system, no matter how often you think that you use them, please be sure to upgrade. It’s useful stuff so it’s ubiquitous, and become a common target of commodity exploit kits.