Embedded PDF executable hack goes live in Zeus malware attacks

The identity thieves behind the Zeus malware attacks are now using the "/launch" command feature in Adobe Reader to launch malicious attacks without exploiting a vulnerability in the software.

Yes, that's the same "feature" that's been in the news in recent weeks after a security researcher found a way to execute an embedded executable without exploiting any PDF security vulnerabilities.

[ SEE: Hacker finds a way to exploit PDF files, without a vulnerability ]

According to M86 Security Labs, the attack originate as e-mails claiming to be from Royal Mail with an attached PDF file:

This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file.

This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot.

When the PDF is opened In Adobe Reader with JavaScript enabled, a dialog box is displayed asking the user to “Specify a file to extract to”.

This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder.

[ SEE: Adobe suggests workaround for PDF embedded executable hack ]

It's no surprise to see that malware authors are closely monitoring the latest white hat security research community for new tricks to execute attacks.  In this case, the user is required to click a few times before the malware is installed but, as M86 Security Labs notes, the average computer user is not technologically savvy enough to spot the signs of malicious activity.

Adobe is considering a patch to change the behavior of the software. In the meantime, the company is suggesting that users configure its PDF Reader product to limit the damage from an attack.

Here are the instructions for mitigating a potential attack:

• Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”