Zeus botnet jumps on PDF design flaw

Attackers are sending out emails with poisoned PDFs that aim to trick people into installing a Zeus bot, according to M86 researchers
Written by Matthew Broersma, Contributor

Attackers have begun exploiting a design flaw in Adobe's PDF format to spread the Zeus botnet, only days after the publication of a proof-of-concept exploit for the flaw, according to security researchers.

On Wednesday, researchers at M86 Security said they had discovered emails claiming to originate from Royal Mail with PDF attachments exploiting the flaw. The attachment attempts to run an executable file that installs the Zeus Trojan on a user's system.

Zeus attempts to steal banking information by logging a user's keystrokes. It also attempts to make a user's system part of the Zeus botnet.

M86 said the email includes a PDF, which in turn contains an attachment that appears to be another PDF file.

"This attachment is actually an executable file and, if run, will install the Zeus bot," M86 said in an advisory. The executable targets Windows systems.

The attack uses the Launch action built into the PDF specification as a feature. Last month security researcher Didier Stevens demonstrated that the Launch action could be used to execute malicious code on a user's system.

At the beginning of this month Jeremy Conway, product manager at NitroSecurity, published a proof-of-concept for how such an attack could be carried out.

The attack being used in the Zeus emails is relatively clumsy, requiring users to click through two dialog boxes before the malicious executable file is run, researchers said.

"The malicious actors involved with this instance appear to only have a very small grasp of the capabilities surrounding the Launch action," wrote NitroSecurity's Conway in a blog post. "I would classify this attack attempt as rudimentary at best, with little to no real sophistication."

He noted that the attackers did not make full use of the ability to modify the text of the dialog boxes, something that could be used to help trick victims. The attack also relies on the use of JavaScript, meaning that users can protect themselves simply by disabling JavaScript in their PDF reader.

However, it is just a matter of time before attacks surface that remedy these shortcomings, Conway said.

"If this were the best the malicious actors have to offer, we would have nothing to worry about, but I am afraid this is only the beginning," he wrote. "I am sure we will see far more sophisticated attempts at exploiting the Launch action in the future."

Last week Adobe provided a workaround for the issue, allowing administrators to protect systems by disabling the Launch feature.

Adobe product manager Steve Gottwals outlined the workaround in a blog post. Sysadmins can alter a registry setting on Windows, or grey out a PDF preference, to stop users turning on the /Launch capability, which is the exploitable feature, he said.

In addition, Adobe is evaluating the best way to allow admins and users to mitigate the problem. This could be pushed out in a product update, according to Gottwals.

"We are currently researching the best approach for this functionality in Adobe Reader and Acrobat, which we could conceivably make available during one of the regularly scheduled quarterly product updates," said Gottwals.

Editorial standards