Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Targeted PDFs Used as Exploits

Created: 20 Feb 2009 14:37:02 GMT • Updated: 23 Jan 2014 18:37:21 GMT
Patrick Fitzgerald's picture
0 0 Votes
Login to vote

Symantec Security Response has received several PDF files that actively exploit a vulnerability in Adobe Reader. We are continuing to remain in contact with Adobe on this vulnerability in order to ensure the security of our mutual customers.

This exploit is currently detected heuristically as Bloodhound.PDF.6 by our products. We have noticed an increase in submissions of similar PDFs using this exploit. So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.

While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations—for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.

The vulnerability is caused by an error in parsing particular structures within the PDF format. Once the malicious document is opened it will trigger the vulnerability. The JavaScript payload then sprays the heap with the malicious shellcode in an attempt to increase the chances of a successful exploit. If the exploit is successful, a malicious binary will be dropped and executed on the victim’s system.

Customers should keep their antivirus definitions up to date. Malicious PDFs using this exploit will be detected as Trojan.Pidief.E. The heuristic detection for Bloodhound.PDF.6 will also help mitigate this threat. The malicious payload is detected as Backdoor.Trojan. This back door is a popular open-source toolkit, originally from China, known as GH0ST. The GH0ST back door is modular, and some of the things attackers can use this for include viewing the desktop, recording keystrokes, and remotely accessing the compromised machine. The screenshot below shows an example of the GH0ST back door builder application:

While we continue to investigate this issue, customers are advised to follow best practices and only open email attachments from people they trust. Disabling JavaScript in Adobe Reader may also help mitigate this threat. Enabling DEP for Adobe Reader will also help prevent this type of attack.