Report: malicious PDF files becoming the attack vector of choice

Report: malicious PDF files becoming the attack vector of choice

Summary: According to a newly released report by Symantec's MessageLabs, malicious PDF files outpace the distribution of related malicious attachments used in targeted attacks.

SHARE:
TOPICS: Security, Malware
21

According to a newly released report by Symantec's MessageLabs, malicious PDF files outpace the distribution of related malicious attachments used in targeted attacks, and currently represent the attack vector of choice for malicious attackers compared to media, help files, HTMLs and executables.

The report also notes a slight increase in the distribution of executable files, a rather surprising trend given the fact that spam and email filters will definitely pick them up.

PDFs now account for a larger proportion of document file types used as attack vectors. However, it should be noted that office-based file formats are still a popular and effective choice used in some targeted attacks. In 2009, approximately 52.6% of targeted attacks used PDF exploits, compared with 65.0% in 2010, an increase of 12.4%. Despite a recent downturn in the last three months, if this trend were to continue at the same rate it has for the last year, the chart in figure 2 shows that by mid-2011, 76% of targeted malware could be used for PDF-based attacks.

PDF-based malware campaigns are here to stay, though:

"PDF-based targeted attacks are here to stay, and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware," said MessageLabs Intelligence Senior Analyst, Paul Wood.

Are cybercriminals picky? Not necessarily as it's entirely based on the campaign in question. In this case, they appear to be interested in bypassing spam and email filters by distributing a ubiquitous filetype that's often allow to pass through them in the first place.

Email attachments combined with social engineering tactics, are among the many attack vectors, cybercriminals take advantage of. Next to email attachments, the use of web malware exploitation kits is growing, with the majority of publicly obtainable data indicating that they continue relying on outdated and already patched vulnerabilities for successful exploitation.

See also:

Topics: Security, Malware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • RE: Report: malicious PDF files becoming the attack vector of choice

    All this shows is PDF readers are currently weak in security. Malware writers have and always will target whichever vector is the easiest to exploit.
    steve.shierts@...
  • RE: Report: malicious PDF files becoming the attack vector of choice

    I think not all PDF readers are created equal.
    some tiny readers without the bells and whistles might help combat against PDF exploits.
    Martmarty
    • RE: Report: malicious PDF files becoming the attack vector of choice

      @Martmarty: Amen to that. That is exactly what I have been trying to get through the thick skulls of the "mac OS/Windows/Adobe are teh evil!" crowds for more than 2 decades. The two main vectors of malware are, and have always been, exploting "social engineering" and the extra bells and whistles they keep cramming into our apps - even when we don't want them. And no way of turning them OFF!
      RyuDarragh
      • Bells and Whistles are nothing compared to view in browser

        @RyuDarragh - the bells and whistles arguement is true .. HOWEVER ... WORSE is the simple fact that BY DEFAULT when adobe installs, it defaults the "Display in browser" and KILLS the file association property, so that it ignores "confirm open after download" ...

        Thereby, the default action of clicking ANY web pdf link is to *immediately* download and open the file.

        WHERE ELSE does **ANY** IT Dept or staff allow such an action? Can you click on ANY EXE file on the web and suddenly have it downloading and opening on you?

        NO.. you have to click the link.. CONFIRM you want to Save/Run/whatever ... and EVEN THEN after the file is downloaded and the system attempts to run the file, you are STILL prompted to confirm you want to run the file ... of course this is solely because its an EXE ...

        **BUT**

        When the attack vector is to use files that would seem harmless against you, WHY THEN should these files be allowed to continue to automatically download, and open without a SECOND CHANCE for the user to stop the action?

        So that last part would be good for .PDF / .DOC / .XLS / .etc.

        And what pisses me off even more, is that this issue hasn't been a hot button pushed by every IT person out there back to Adobe and respective companyes to NEVER AGAIN do something so stupid as Auto-Open, Auto-Run a file extention and in adobe's case, make it so difficult to stop the process..

        ie. with adobe its not a simple matter of 'de-selecting' the "show in browser" ... you have to manually edit the registry, to disable the bypass of extention properties ... otherwise, the best you get from taking that checkmark away, is that the file downloads automatically still.. and then auto-opens inside the full reader ... hardly worth the checkmark at all.
        TG2
  • RE: Report: malicious PDF files becoming the attack vector of choice

    The reputation of Adobe and the speed (lack of) in which they fix their exploited security holes surely has kept the interest of malware writers. The adding of scripting features and other higher end features to the PDF format has made it possible to exploit PDF files.
    mystic100
  • RE: Report: malicious PDF files becoming the attack vector of choice

    Does this apply to Adobe's PDF readers under Linux or Mac OS?
    Farrell.McGovern
    • RE: Report: malicious PDF files becoming the attack vector of choice

      @Farrell.McGovern <br>Yes. That is why when security updates are offered, Adobe makes them for all platforms. While some think OS X is safe, it is most often exploited by the programs that run on top of it: Safari, QuickTime, Flash, PDF
      joblak@...
  • &quot;...if this trend were to continue...&quot;

    What a silly supposition. Malware writers respond to available exploits. There's no rational reason to attempt to extrapolate trends over a long term.
    hmoulding@...
    • RE: Report: malicious PDF files becoming the attack vector of choice

      @hmoulding@... Agreed, looking at the chart, there is no "trend" unless you count the decrease in Office Docs.
      LGLisle
    • trending long term ...

      @hmoulding@... true.. trending long term, however 3 to 6 months is not long term, *AND* what else is out there right now? Sure, its the next biggest sliced bread moment that has the fastest infection ability ... but when you also compare the suggestive trend ... and think about how many MILLIONS of PC's out there don't even get the recommended *WINDOWS* updates... then you realize.. trending isn't meritless. In fact.. Java had two updates within weeks of each other ... and I've seen people not install java updates for 10 or more revisions!

      So ... Trending ... take with a grain of salt if you need to ... but its important to get the concept out there that these things can be very bad if they continue..
      TG2
  • RE: Report: malicious PDF files becoming the attack vector of choice

    Flash and PDF are the biggest disease vectors followed by Apple software running on PCs as the three biggest problems I help people with. Skype problems used to be up there as well in making PCs run very badly but that seems to have cleared up.
    mswift@...
    • RE: Report: malicious PDF files becoming the attack vector of choice

      @mswift@... can you give some concrete examples of problems with Apple software running on PCs being the subject of disease vectors?
      oriorda
      • RE: Report: malicious PDF files becoming the attack vector of choice

        @steftheref I would think that iTunes would qualify here. Apple have released a patch for 57 critical flaws in iTunes today. Apple are not perfect, just like everyone else.
        AlanH1968
  • RE: Report: malicious PDF files becoming the attack vector of choice

    This is very worrying. Are there any comparisons between the various PDF readers so one can make a considered choice from a security standpoint?
    oriorda
    • RE: Report: malicious PDF files becoming the attack vector of choice

      I have been using Sumatra PDF reader for about 8 months now. It is super fast loading and does not have bells or fog horns or anything else in it.
      Me_too
    • RE: Report: malicious PDF files becoming the attack vector of choice

      @steftheref I've been using the lightweight Foxit reader for three years with nary a problem.
      ddferrari
  • RE: Report: malicious PDF files becoming the attack vector of choice

    Back when pdf was simply a document presentation format we didn't have these problems. Adobe's Acrobat Reader has become too bloated with superfluous bells and whistles to be considered useful any more.
    JDThompson
  • RE: Report: malicious PDF files becoming the attack vector of choice

    Acrobat X has this sandboxing feature. Does it help against this kind of attack?
    jia-shing.wang@...
  • RE: Report: malicious PDF files becoming the attack vector of choice

    Exactly TG2!

    MS recently shipped a security update to disable autoplay on external USB devices.

    just as well I would be ok if MS shipped a kill switch to disable the Acrobat/Adobe Reader auto open PDF registry parameter.

    With Adobe Reader 10x (as well as 9.x) Adobe is forcing install/enable of their AIR platform. Blah! If users are intent on continuing to run Adobe Reader I recommend avoiding 10.x/9.x and stick with 8.x version (without AIR), at least as long as Adobe continues releasing patches for 8.x.

    But most users are best served to opt for a lightweight/low foot-print PDF reader (not Adobe Reader).

    Related question: If Apple can integrate a PDF Reader in MacOS, why is not Microsoft able to do the same?
    mediamonster
  • How does a pdf transmit a virus?

    I understand (more or less) how Office files (AutoOpen macros etc) and exe files distribute viruses and malware, but how does a pdf do it? Can DD or someone explain please in reasonably simple language? Thanks. <br><br>If we know how it works, maybe we can combat it. Very few of my downloaded pdfs open in a browser window.
    jonc2011