Google+ bgs: PDF Worm – Exploit Requires No Specific Security Hole to Function
Be the reason of someone's happynes, and never be a part of it. Be the part of someone's sadnes, and never be the reason of it...

PDF Worm – Exploit Requires No Specific Security Hole to Function

Security Holes Not Required to Attack via PDF files

If the sheer amount of exploits in Adobe’s products over the last year haven’t scared you off yet, then maybe a PDF attack (that doesn’t require an exploit or JavaScript to run) will. Here’s a proof of concept video for your viewing pleasure:

http://www.youtube.com/watch?feature=player_embedded&v=QNxJTt4vOT0
Jeremy Conway, product manager at NitroSecurity, created this proof of concept for an attack in which malicious code is injected into a file on a computer as part of an incremental update, but which could be used to inject malicious code into any or all PDF files on a computer. So looks like a new generation of PDF Worms are coming soon.


The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

Worse, another growing competitor to Adobe: Foxit PDF, does not even warn the user that code is about to be invoked. It just quietly lets the code run without any user interaction!

Turning off JavaScript would not prevent the attack. It also does not require that the attacker exploit a vulnerability in the PDF reader itself. The PDF reader incremental update capability “can be used as an infection vector,” said Conway. The attack “does not exploit a vulnerability. No crazy Zero-Day (exploit) is needed to make this work.

Another PDF security specialist Didier Stevens has developed a PDF document which is capable of infecting a PC without exploiting a specific vulnerability. The demo exploit works both in Adobe Reader and in Foxit. Stevens says he used the “Launch Actions/Launch File” option, which can even start scripts and EXE files that are embedded in the PDF document. This option is part of the PDF specification.



Stevens intends to keep his PDF document with the embedded code under wraps until the vendors respond. However, he has provided a document (direct download) which launches the command prompt when the PDF file is opened.

In principle, this concept is also said to be suitable for starting an FTP transfer to download and start a trojan.

No comments:

Post a Comment

thanks for visit