PDF Reader Exploitation 2009

Pdf readers are commonly used, and so far this year, they have been a highly abused third party plugin. Tens of thousands of malcrafted pdf exploits have been prevented from running by ThreatFire on our community systems so far this year. This information is being presented to encourage our users to upgrade their pdf reader software to the latest version and remind them of the versions available.

Usually, attackers deliver these malcrafted pdf files via malicious websites serving up links to malcrafted pdf files and sometimes send spam with malcrafted pdf email attachments. Even if you do not regularly open pdf files within your browser or open email attachments containing pdf files, if you have installed Adobe Reader, please take a minute to visit the web site and upgrade the software to the latest version.

Here is the variety of attacked Adobe Acrobat Reader versions targeted this year (as of the very beginning of March) and their percent of the pie (rounded numbers here):

Reader v9 less than 1%
Reader v8 48%
Reader v7 50%

This list does not mean that Acrobat Reader 7 is the most vulnerable of the versions. As a matter of fact, the top five subversion info, in order of highest number of incidents, is,,,, However, it may tell us that the highest number of users that install ThreatFire continue to use one of the version 7 products and seeing it attacked. If you are using any of the Adobe Reader versions, please upgrade to the latest at their web site.

Some of the most common payloads for the exploits’ shellcode are downloaders. Unfortunately, that leaves the explanation a bit hazy, because by definition, a downloader simply pulls down more software and “loads” it. Well, from our vantage point, most commonly the downloaders fetch and install FakeAV software, otherwise called rogueware. One example that we discussed last year was an Antivirus 360 downloader, which seemed to replace the Antivirus 2009 attacks. Current examples are sites delivering downloaders like hxxp:(slashslash)f-o-r(dot)ms(slash)xrun.tmp
We also see a number of banking/identity password stealers delivered via malcrafted pdf files, with Zbot leading the charge, followed by a variety of Hupigon stealers and FakeAV.
This morning, we witnessed v9 exploited on multiple users’ desktops by malcrafted pdf files with the shellcode downloading a gaming password stealer from hxxp:(slashslash)202(dot)67(dot)215(dot)110(slash)caonimabi.exe. This link is live and serving malware — DO NOT download and run it.
And on a more recent trend, malcrafted pdf files will download more exploit code. For example, malcrafted pdf files generated by the LuckySploit exploit pack will pull down more javascript served at 72(dot)233(dot)79(dot)18(slash)prn(slash), and wreck more havok, installing a rootkit to hide more downloaders installed on the victim system.

So what techniques are employed most frequently in the shellcode?
The shellcode is generally around 215 bytes long, following a lengthy nop sled. UrlDownloadToFile, ShellExecute and WinExec are the most commonly implemented api calls in the malicious pdf based shellcode that we’ve examined.

If you have installed pdf reader software on your system, no matter how often you think that you use them, please be sure to upgrade. It’s useful stuff so it’s ubiquitous, and become a common target of commodity exploit kits.

This entry was posted in The Law. Bookmark the permalink.

One Response to PDF Reader Exploitation 2009

  1. Joe says:

    Why is nobody posting vulnerability information or data regarding Acrobat 6?

    It may not be the current version, but it still opens the vast majority of pdf files currently being published, and if it’s vulnerability profile is reduced compared to versions 7 through 9 then there is no reason not to consider using it as an alternative to the (apparently) more vulnerable versions.

    I have tested win98/Acrobat 6.0.2 against some of the proof of concept examples that are available and have not found them to function as designed.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>