Embedded PDF executable hack goes live in Zeus malware attacks

Embedded PDF executable hack goes live in Zeus malware attacks

Summary: The identity thieves behind the Zeus malware attacks are now using the "/launch" command feature in Adobe Reader to launch malicious attacks without exploiting a vulnerability in the software.

TOPICS: Malware, Security

The identity thieves behind the Zeus malware attacks are now using the "/launch" command feature in Adobe Reader to launch malicious attacks without exploiting a vulnerability in the software.

Yes, that's the same "feature" that's been in the news in recent weeks after a security researcher found a way to execute an embedded executable without exploiting any PDF security vulnerabilities.

[ SEE: Hacker finds a way to exploit PDF files, without a vulnerability ]

According to M86 Security Labs, the attack originate as e-mails claiming to be from Royal Mail with an attached PDF file:follow Ryan Naraine on twitter

This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file.

This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot.

When the PDF is opened In Adobe Reader with JavaScript enabled, a dialog box is displayed asking the user to “Specify a file to extract to”.

This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder.

[ SEE: Adobe suggests workaround for PDF embedded executable hack ]

It's no surprise to see that malware authors are closely monitoring the latest white hat security research community for new tricks to execute attacks.  In this case, the user is required to click a few times before the malware is installed but, as M86 Security Labs notes, the average computer user is not technologically savvy enough to spot the signs of malicious activity.

Adobe is considering a patch to change the behavior of the software. In the meantime, the company is suggesting that users configure its PDF Reader product to limit the damage from an attack.

Here are the instructions for mitigating a potential attack:

  • Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

Topics: Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • You mean the Tuesday update doesn't cure this?

    Very important, if so.

    Both Adobe Reader and Adobe Acrobat got big updates
    Tuesday, as reported here.

    This attack flaw is still alive, and loads Zeus?

    Great. Very important to make the settings in the
    Adobe workaround linked in this article.

    And make sure that Trust Manager is still set not to
    allow opening anything from inside any Acrobat or
    Acrobat Reader you have of any kind, after they are
    Narr vi
  • RE: Embedded PDF executable hack goes live in Zeus malware attacks

    While part of what you say may be true Dietrich, the problem most of us have is 1) Being able to install Ubuntu or any Linux OS AND make it work 2) Then trying to find (and hoping) Linux has drivers that will work with all our hardware and 3) The fact that Ubuntu often turns your HDD into a useless brick!
    Fix those things and make it semi-user friendly and you might have some validity to your posts!
    • Hmm.

      That's weird. I thought Linux (and OSs based on it, like Ubuntu) installed on more architectures than Windows. As for HDDs.. Ubuntu ships with ext4 by default, which is more fault-tolerant than NTFS. And driver problems? Maybe in the 90s. Nowadays you plug something in and it works, just like that.
      • I am interested

        in what facts led you to claim that ext4 is
        "more fault tolerant" than NTFS?

        Do you have a reliable source? Note, I'm not
        interested in fanboy diatribe or unbased

        I am truly interested and I'm not saying it is
        wrong. But I know for a fact that NTFS is
        pretty damn reliable, even splitting the same
        (system) disk into separately journaled
        partitions for system and user data with full
        transactional support for e.g. patching.

        BTW, from the wikipedia article comparing file
        systems, it appears that ext4 still has some
        ground to cover before catching up to NTFS. It
        looks like ext4 does not even sport snapshots
        or CoW?

        Re: hardware support, I do not believe that wds21921 was referring to number of
        architectures. I believe he was referring to
        the sometimes abysmal support for 3rd party
        hardware. Some of which are on motherboards,
        such as WiFi cards etc.
        • Sorry. I guess that wasn't fair of me, comparing FSs with different feature


          Btrfs (in Ubuntu by default starting with Lucid) and ZFS (in Solaris/OpenSolaris by default), then. ^^

          I don't really like CoW myself, though, since SSDs need free space to perform wear leveling (without which their NAND cells burn out), but CoWs use all the space with old versions of files.
  • Users of Foxit PDF reader will get no warning

    As an update Foxit has release a new version that indeed does notify the user. From the latest readme file.
    What's New in Foxit Reader
    Bug Fixes:

    Fixed a security issue that Foxit Reader runs an executable embedded program inside a PDF automatically without asking for users permission.
  • Just now finding this?

    No offense guys, i love that you're alerting people to this, but there are a bunch more hacks out there that deal with pdfs that automatically open from flash files, and are loaded directly into the browser.

    I'm really happy that adobe is just now feeling the pressure to fix these vulnerabilities, but you're reporting on bugs that have been live for months. The people using them know they're there, but the public doesn't.

    Please report all vulnerabilities to the users, so they know how to protect themselves from it.. the same as you treat all companies on here. Honestly, best way to keep them out of your system is to remove the pdf auto-launch from your browser.

    Secondly, Adobe should only allow high level scripts that interact with the OS to come from certified publishers (certificates) and prompt a user that a document contains these features when they open it and ask if they want to enable them.. they should also show the validity of the certificate.

    If you think thats a pain, we do it for MSOffice all day long with macros.

  • Sometimes a reader can have TOO many features

    Why does Adobe reader have so many useless features like this?
  • Of course

    Of course there is something out pointing out a flaw in Adobe software and Microsoft software... Jobs said so!!!
    • Apple's PDF viewer...

      Preview is totally and completely immune to this malware. Also, this
      crap, as usual, works only in Windows.
  • Also disable opening in browsers

    The other problem and easy infection route is caused when
    a web browser automatically opens the PDF. You're better
    off changing the settings or modifying the file
    association so the user receives a prompt to save or open
    the pdf.

    Most of the infections I have been called in to resolve
    recently involved javascript calling a malicious pdf file
    and the infection occurred instantly as the browser
    executed it.
  • Is linux vulnerable to this?

    "The Boy Who Cried 'Wolf'"

    In Windows "the user" is often "required to click a few times" so often that users click very fast without taking notice of the notices. Like a car-alarms going off so often that no-one takes any notice. By surrounding ourselves with so many warnings we cease to take notice.

    Still it all help Windows Security people to keep earning a decent living so it must be good.

    Regards from
    Tom :)
  • Are any of the other readerrs immune ?

    Is there an alternative reader, that does not have the ability to launch ?
    Rob C
  • Alternate SAFE viewers

    Regarding this article -
    I downloaded the author's test file.
    I was using PDF Exchange viewer.
    The test file, fooled it.
    I then switched off JavaScript (in the PDF Exchange options), and it warned me.
    I closed it, and re-opened the author's test file and the exploit activated, without a murmer.
    Sumatra PDF does not do the Launch, and I did not have to change it's Settings.

    When i was attempting to download the author's test file, I had to switch off Avast, as it picked up the exploit.
    That either means it has generic protection, and I can continue using PDF Exchange as my default viewer.
    Or it means that Avast read the article, and built in a specific detector.
    If it is the latter, perhaps I should switch to Sumatra PDF, as my default viewer.

    Decisions, decisions.
    Rob C
  • My motto: Always disable javascript in PDF readers...

    I never want to be in a situation where I would NEED javascript running in my PDF viewer.

    I also always disable viewing PDF files in my browser, but that's just because I hate viewing PDF files in my browser! :)
    D. W. Bierbaum
  • RE: Embedded PDF executable hack goes live in Zeus malware attacks

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>