• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Malicious Ads Lead to PDF Exploits

Malicious Ads Lead to PDF Exploits

  • Posted on:March 16, 2010 at 8:43 pm
  • Posted in:Bad Sites, Exploits, Malware, Vulnerabilities
  • Author:
    Ria Rivera
2

TrendLabs researchers recently received a report on malvertisements that appeared while a user was browsing through a popular Web-based email service.

At first glance, the ads may seem like the typical Web browser nuisance. However, random ads were proven to be vectors for downloading malware onto users’ systems. In one instance, an ad pointed to a URL containing exploits that download and execute several files on affected systems. The downloaded files include a malicious Java file (detected by Trend Micro as JS_BYTEVER.BG) and .PDF files (detected as TROJ_PIDIEF.GBA and TROJ_PIDIEF.GBB), among others.

According to advanced threats researcher Jonell Baltazar, these .PDF files exploit known vulnerabilities found in Adobe Reader (Collab.collectEmailInfo, Collab.getIcon, and util.printf) to download a file if the user’s application remains unpatched. Furthermore, Baltazar explains, the malicious .PDF files use getPageNumWords() and getPageNthWords() Adobe JavaScript application programming interfaces (APIs). The files also used the app.info.Author field of the .PDF document to store the encoded payload URL, which enables them to defeat automated PDF and JavaScript analysis tools.

Click for larger view Click for larger view

As discussed in the 2010 Threat Predictions by Trend Micro CTO Raimund Genes, drive-by infections are the norm and one Web visit is enough to get infected. Users are thus advised to disable JavaScript on their Web browsers and to practice vigilance, verify URLs, and update browsers to avoid being redirected to malicious URLs.

Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and preventing the execution of the malicious files via the file reputation service. It also protects customers by blocking user access to malicious websites.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Update as of March 17, 2010, 4:23 p.m. (GMT +8:00):

Senior threat response engineer Vincent Cabuag adds that this relatively new encryption technique renders standard analysis tools useless in detecting the malicious script inside the .PDF file. The malicious script is obfuscated in a way that requires the use of certain APIs to decrypt. Thus, it would require manual analysis to be able to emulate the embedded script.

Update as of March 18, 2010, 7:54 p.m. (GMT +8:00):

According to further research by Baltazar, the attack used the “Liberty Exploit Kit,” which exploits known vulnerabilities found in Internet Explorer (IE) like MS06-014 (MDAC) and MS DirectShow. The exploit kit also includes exploits targeting Flash 9 (the most probable vector for malicious ads) and the above-mentioned PDF exploits.

Thus, no user intervention is necessary for an attack to be successful. Users must keep their Flash, Adobe Reader, and IE browsers updated with the latest security patches in order to stay protected from this attack.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.