Schneier on Security
A blog covering security and security technology.
« Even More on the al-Mabhouh Assassination |
| Back Door in Battery Charger »
March 22, 2010
PDF the Most Common Malware Vector
MS Word has been dethroned:
Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009, compared with about 39 per cent that took aim at Microsoft Word. By comparison, in 2008, Acrobat was targeted in almost 29 per cent of attacks and Word was exploited by almost 35 per cent.
Posted on March 22, 2010 at 1:03 PM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I honestly don't know if any of the virus scanners or any of their heuristics engines are adequate in addressing this. I'll research this later if no one else has the answer.
Does anyone know (or know where to find out) when was the last time before this that the most common malware vector was not a Microsoft product?
My Check Point firewalls, with a SmartDefense subscription, are capable of blocking these embedded JS files.
Unfortunately my users access many legit sites that contain .pdf's with JS. They must access these files to run our business. Nice state of affairs.
Is this just the Adobe reader or all pdf's? I use the Foxit reader and update it regularly.
Isn't this F-Secure post from early 2009? Kind of dated?
@HJohn & Fred S.
Even quicker quick-fix, stop using Adobe. Foxit (Yes) is one good example. It has vulnerabilities, but they get fixed and it is not the prime target for attacks, Adobe Reader is.
Isnt it always the case that the most used product will always become the prime vector for attacks?
A quick check through the emails I have recieved in the last month, with attachments, shows that the ratio is strangely similar - about half the attachements came in as PDFs, and about 1/4 came in as word documents (most of the others were crappy PPT presentations.... truly the work of a malignant force).
More and more documents are being sent as PDFs (annoying this includes such things as the ISSA journal which is much better read on the toilet or in the bath, than at a PC) and I suspect its only a minority of users who have something other than Adobe to read them.
Also Microsoft have, for various reasons, had to respond to waves of bad publicity after macro virus hits and IMHO most default installs of MS will protect better than a default Adobe set up.
If you were a l33t h4x0r (*) what would you target? I think Adobe wins it hands down on this one.
(*) of course this assumes you are not...
Scansafe 2009 Threat Report: "Malicious PDF files comprised 56% of Web-encountered exploits in 1Q09, growing to 80% of all exploits by 4Q09".
Didier Stevens has lots of interesting stuff on malicious PDFs. His blog is here: http://blog.didierstevens.com/. On the blog read "Quickpost: /JBIG2Decode “Look Mommy, No Hands!” which discusses how malicious PDF code can execute without the user opening the malicious file and while running as a standard user. Nasty.
Also see his articles in (IN)SECURE Magazine issues 21, 23, 24 and in a video here:
There's a lot of information in the above on the risks of malicious PDFs and preventing malicious PDF code from executing.
Between Adobe Reader and Adobe Flash, there seems to be something terribly wrong at Adobe.
FoxIt was my favorite PDF reader for years, until it got a bit too ad-bloated. Now I've been a happy Sumatra PDF (open-source) user for quite some time.
@Scott. The F-Secure post referenced is rather old now but things have gotten worse since then.
Examples of targeted phishing attacks using PDFs here:
One of the interesting things this site does is submit the the infected PDFs to VirusTotal. The detection rate of the forty or virus scanners used by VirusTotal is usually fairly low--maybe around 20% or less.
I don't know where I read it but I've seen estimates that PDF exploits have a very high rate of success maybe as high as 50%. I'm not sure that is surprising given that users don't perceive PDFs as risky, poor application patching, many users running as admin (on Windows), putting too much faith in anti-virus tools, etc.
I wonder if there is difference between the web-encountered exploits identified by ScanSafe and the spear phishing attacks. One would presume that many of the latter avoid anti-virus because being targeted to a few people may mean that by the time the anti-virus people get a sample it's too late.
@brianary: "Between Adobe Reader and Adobe Flash, there seems to be something terribly wrong at Adobe."
I think what happens with them is the same as what happens to other providers. They provide added functionality to provide a more rubust, appealing product, which is all well and good until attackers figure out how to misuse the added features.
@Scott: "I wonder if there is difference between the web-encountered exploits identified by ScanSafe and the spear phishing attacks. One would presume that many of the latter avoid anti-virus because being targeted to a few people may mean that by the time the anti-virus people get a sample it's too late."
One thing I'm going to do, that I should have done already, is check my antimalware shield to see if it scans PDF files. Of course, it still has to be able to detect the malware, but it should scan them. I scan every file once a week, but the performance costs on scanning every single file on every operations just isn't worth it to me.
The thing that I like about Adobe Acrobat is that rather than printing your airline boarding pass on a printer, print it to an PDF file. With Acrobat you can change the name on the boarding pass to any name that you wish and then print it. As long as the boarding pass matches the drivers license and you do not check bags, you get on the plane. It does not matter who you are. No one is interested in who gets on the plane, only who purchases the ticket. This is the quickest way around the no fly list, but remember only 2 ounces of liquid. (Disclaimer, So I have heard. )
@Edgar. "Adobe have been doing a huge amount of work in hardening Reader over the last 18 month..."
Which is not surprising as they have been taking a huge amount of flak for most of that period for not doing enough, fast enough.
Verizon Business Security division blog post on Adobe:
It's why I've been pushing for a trustworthy PDF viewer. One that is simple, maybe not as quick/fancy, etc. at least for opening untrustworthy documents. Or a decent PDF viewer in a isolated VM with a buffer that stores its screen image.
Right now, using a lesser known viewer gives some protection against the wild exploits that cast a big net. The closest thing to the small, minimalist PDF viewer I've seen is SumatraPDF. I use it for many documents because it's lightning fast, but it wasn't designed for security. Reusing some parts of one of these small, fast viewers might help enterprising security engineers build a secure PDF viewer more quickly.
Microsoft celebrates: "We're Number Two! We're Number Two!" :)
"Isnt it always the case that the most used product will always become the prime vector for attacks?"
No, they follow the path of least resistance. A malware author will be just as eager to attack an entire user base of 10 million people with a trivial exploit as they would be to attack 100 million people with a method that fails 9 times out of 10.
So while it might just be that Word is no longer something as ubiquitous as it once was, a far bigger factor is probably that Reader is a more ripe target these days.
Something about filling out forms in PDF and submitting them to a website is the only thing I heard that it might be useful for.
But who actually uses that? Or needs it?
The tiny amount of actual documents that make legit use of scripting capability in PDFs are in no way worth all these security holes.
WTF are they thinking at Adobe.
"No, they follow the path of least resistance. A malware author will be just as eager to attack an entire user base of 10 million people with a trivial exploit as they would be to attack 100 million people with a method that fails 9 times out of 10."
Ok and I kind of agree here but I think this is only true once exploits are known.
When it comes to discovering a new exploit the product with a user base of 100m will be of more interest than one with 10m. If you were going to research an attack vector would you spend time and effort on a minority product that very few people use or a popular one with a large (especially corporate) business base?
If every Adobe Acrobat user switched to Foxit (for example) its a reasonable assumption that lots of exploits there would appear.
Also, on a related note, its not just Adobe (or even PDFs) that are a risk:
To exploit PDF is simple and it reaches to a lot of people. Acrobat (usually fairly outdated V7 or 8, yes, even 6) is usually installed with most OEM installation from Dell, HP, you name it.
In addition, PDF is easy to morph. There are many, many ways of morphing the PDF scripts to bypass antivirus and there is nothing the AV can do unless you plan to disable URLS and script altogether.
Perhaps we should start looking at one really neglected implementation call XPS (by Microsoft).
It's unfortunate that none of the alternatives to Adobe Reader produce as good quality on-screen displays as the official program does. If you compare them side-by-side Reader is always best, followed by Foxit and Sumatra.
It's important because small text is much easier to read with Adobe Reader, so you can have more information on screen and save a lot of scrolling around just because you need bigger fonts.
I've always put that down to Microsoft spin, myself. It's a notion that simultaneously absolves Microsoft of responsibility for any exploits in their products, and also suggests that migrating to another system is ultimately futile.
I don't think it's true, however. If the avenue of attack does not exist,then the malware writers will look elsewhere for vectors
I am certain that MS does spin this to absolve themselves of a lot of the blame.
But that alone doesnt really mean it isnt true. (And being true doesnt mean it removes any blame on them for bad coding practices)
By way of analogy, which is going to garner a security researcher more publicity and recogition - finding an exploit in an obscure bit of freeware no one uses or by finding a hole in iTunes? Same logic works for a hostile hacker, would you rather spend time developing an exploit on a product that has a tiny market share or one which gives you gazillions of targets?
The problem with MS is that they *know* they are a high profile, high value target but they fail to take the necessary precautions to make it harder. This means an attacker has a good return for minimal investment. Same with any popular product.
Most people who want to break a bit of software are constrained by resources (time, money etc). The rational ones have to justify any expenditure based on the return.
Some generalised examples:
a criminal group might see value in spending £1m to develop an exploit which will compromise all Windows XP boxes used for online banking and allow them access to account details. Would it be sensible to spend the same amount of money to develop a similar compromise of OS/2 machines?
A young h4x0r sitting at home with lots of spare time and computer resources, wants to make a name for himself. Will developing an exploit on Win 7 be more rewarding than exploiting MonaOS.
There will always be people who will spend a disproportionate amount of resources to attack a system but you cant really mitigate against this. What MS (and now Adobe) need to do is reassess their own defences to account for their popularity.
Being a high value target is not a way of ducking responsibility, it just means they should put more effort into hardening their systems.
> By comparison, in 2008, Acrobat was targeted in almost 29 per cent of attacks and Word was exploited by almost 35 per cent.
Is this just poor writing, or are they comparing apples to oranges in 2008? Targeted does NOT mean the same thing as exploited. "Targeted" does not imply success. "Exploited" does.
I think you should read "exploited" as "used as a vector of attack".
And of course, in both cases it's the users that are targeted, not the companies. It's the vulnerabilities in their software that are exploited, by means of writing documents containing malicious code, which may or may not actually be executed on the computer of the recipient.
I agree. There is no silver bullet that will save anyone, but many small things help reduce the impact.
I think one of the most costly and damaging things in the security world is the pursuit of a "holy grail" which does not exist.
High profile systems definitely get more attention, but the fact remains that not all locks are equally secure, so what constitutes a worthwhile attack depends a great deal on how lax the security is. Microsoft has been a ripe target not *just* because they had a larger user base, but because (as you note) they failed to take the steps to make their systems more secure. Now Adobe is finding themselves in the same situation, and many other exploits will continue to show up in the wild based on attackers following the path of least resistance.
You're right in saying that nobody is going to focus on a system without a reasonable return on their investment, but I think you're wrong in thinking that malware authors put a lot of effort into finding vulnerabilities. Oh, they might invest a lot into *exploiting* them once they turn up, but that's a much cheaper prospect than scouring random systems looking for a hole. It is an opportunistic crime that, unfortunately, sees plenty of opportunities.
So what I imagine happened for Reader is what happens for a lot of things: a normal person dealing with PDFs notices something funny (perhaps even recognizing it as a security problem) and starts a little chat in interested circles, which eventually spreads until it reaches someone who is up to no good. It is *then* that the small calculation is done to figure out if some minor tweaks to existing malware will pay off for turning a vulnerability into an exploit. I would wager it almost always is; whether its turning 1 million or 100 million machines into a botnet, or a targeted attack against a single individual, I see no reason to believe that any viable path to an exploit would be left on the table for long. Rinse and repeat.
@Posted by: Impossibly Stupid at March 23, 2010 11:01 AM
Very true. In not sure how the math adds up, but I would think that the attractiveness of a target would follow some equation including value and vulnerability...
Attackability = Value * Vulnerability
Value = Popularity + Profitability
Vulnerability = Absense of preventative, detective, and corrective measures
... or some variation, just to put it in perspective
I agree. There is no silver bullet that will save anyone, but many small things help reduce the impact.
Here's advice I've seen in various places. This assumes use of Adobe Reader on Windows. In no particular order:
--Keep Reader up-to-date on patches
--Run as user (not admin or admin approval mode). And if running Windows as user is impractical then run Reader with limited privileges.
--Turn-on DEP for all applications. (I'm guessing using Windows 7 64bit provides better ALSR and DEP).
--Disable Windows Indexing or make sure PDFs aren't being indexing using Adobe's IFilter
In (IN)Secure Magazine, February 2010 (issue 24), Didier Stevens has some techniques for forcing Reader to run with limited privileges that go a step beyond DropMyRights.
PDF download (!) here: http://www.net-security.org/insecuremag.php
"--Keep Reader up-to-date on patches
--Run as user (not admin or admin approval mode). And if running Windows as user is impractical then run Reader with limited privileges. "
Good tips(all of them).
As for the two i quoted, I use DropMyRights on anything that touches the Web, including Acrobat. I tend to break the "don't run as Admin rule" due to trade offs like usability and patching. This way I am already admin when I want it, but the apps that concern me run as a user. Not the most secure way, but security isn't my only concern.
@AlanS: "In (IN)Secure Magazine, February 2010 (issue 24), Didier Stevens has some techniques for forcing Reader to run with limited privileges that go a step beyond DropMyRights."
Thanks for that.
Funny, my post after yours that mentioned DropMyRights was a cross post--I hadn't seen yous above yet.
Those are nice tips. For more technical folks, virtual machines are an ever nicer option. More people are using virtual machines for web browsing than before. They can also be used for document viewing, audio, video, etc. Additionally, one can have an antivirus suite doing on-access in the VM. If the document is saved or transfered out of the VM, much of the security will be lost but it's at least scanned & run once. Anything that is just viewed then dropped won't affect the outside system unless it's specifically designed to circumvent the virtual machine monitor or hypervisor.
Extra tips for virtual machines. Use a cheap WinXP or Win7 license for one with Avira & ZoneAlarm security suites. Download the major programs, update everything, and then backup the VM. Do planned updates/backups every week or at least once a month. For more security but maybe less functionality, use a custom Linux distro. A minimalized Linux kernel with PaX memory protection or an OpenBSD desktop both provide plenty of protection.
It would be nice to keep Acrobat up to date... but jeez, we're talking 450MB of updates for 9.0 to 9.3! And you can't just apply the latest, they're all incremental.
And you can't slipstream quarterly updates if you slipstream a security update, so those have to go out separately.
What a mess.
One thing I've done for years is to remove almost all the Acrobat widgets from the plug_ins folder in the Reader program directory. There's a lot!
I was always mystified why I would want my PDF reader to execute arbitrary script when I open a document. Its like the bad old days of Word macros. The only thing I leave in plug_ins is "Search.api" and "AcroSign.prc"
Note that some functionality depends on the scripting engine (including clicking on embedded links), but I don't care. I just want to read PDFs, nothing else, period.
@NickP: The PDF spec is publicly available; I got a copy by downloading it but I forget from where. Anybody can implement a PDF handler (although I don't remember whether there are legal obstacles).
However, writing a program that will securely take a PDF file and display the content on screen and send it to the printer is a non-trivial task. Add a Turing-complete language interpreter and it gets a lot harder. I wouldn't expect any full PDF software to be secure, any more than web browsers are.
A problem is that the language is complex and PDFs bloated. The malware code is often very small and easily hidden. Didier has written several Python tools on his site for parsing PDFs
I have found it is fairly easy to run as standard user in W7--which I use at home. And I mean true standard user not W7's default admin approval mode accounts. Microsoft has done a lot of work cleaning up the software ecosystem to make this possible.
I have XP and at work and we're setup to run as admin. I have also been using DropMyRights to run most software. Didier makes points out that this works if you open the software through the DropMyRights shortcut but there are times when a program is opened through some other means and in those instances the rights aren't dropped. It's easy to do. He has various suggestions on making sure the program always opens with reduced privileges.
@TS "It would be nice to keep Acrobat up to date...but jeez...What a mess"
Adobe really needs to get their act together. I dread updating Adobe products on Windows. Their updating procedures and massive downloads are a nightmare. It is no wonder people don't patch.
Secunia has or is coming out with various products to make application patching easier. Maybe they'll figure out how to easy the pain.
I've been running limited user accounts at home for years now and reject all software that doesn't support this ability. And convinced a few friends to do this as well. And have had to clean up a few malware infections on those friends machines. Which has been amazingly easy on those machines running limited user accounts.
All others just get the standard wipe and reload with an explanation that until they run limited user accounts, I'm not wasting hours of my life rooting out malware that's grafted itself into the OS.
Just got Windows 7 x64 here and have it doing the same.
> Microsoft celebrates: "We're Number Two! We're Number Two!" :)
> Posted by: Kevin D. S. at March 22, 2010 6:45 PM
Who's Number One?
Please listen Adobe!
You need to make it easy for **everyone** to download the updates to the FULL installer for Acrobat Reader.
It would appear that Adobe PDF format is not just the favourit target of choice at the moment.
Some malware writers want to stop Adobe doing anything about it,
Put simply it looks like your only reliable choice is to uninstall Adobe and install from fresh a full new download...
And Mobile Broadband suppliers where whincing and whinging in Barcelona about "updates" swollowing "Mobile Broadband bandwidth" to the detriment of all...
Escape From PDF
"I managed to make a PoC PDF to execute an embedded executable without exploiting any vulnerability! I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction."
Apparently the PDF format supports an incremental update feature that can be used in creative and potentially nasty ways. An infected PDF can update and infect PDFs on a target machine. See:
I'd like to point you to an article I wrote. It introduces with some stats from the German CERT. When taking these raw numbers it's obviously far worse than often said. About half of said article refers to the malware reverse engineering. Finally it closes with some advices. Who ever follows them will save himself a lot of trouble.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.