PDF Exploit Analysis
It is much easier for hackers to get unsuspecting victims to open a seemingly innocuous PDF file than a suspicious program. However, malware writers find vulnerabilities in PDF reader software that let them infect computers through PDF files just as if the user had chosen to run a malicious program. Security researchers who work in PDF exploit analysis study the different aspects of such attacks to understand and prevent them.
Other People Are Reading
-
Anatomy of an Exploit
-
When hackers design PDF files to exploit Adobe software in order to compromise an operating system, they need to execute a number of discrete steps. Cyber security analysts studying PDF exploits identify the code a hacker uses to compromise the system, any websites and payloads that contain additional malicious code to further compromise the system, and how the hacker tricked the PDF reader into initiating the attack.
Phoning In
-
Hackers usually include a minimal amount of malicious code with the PDF itself in order to avoid detection. A suspiciously large PDF file could act as a red flag that it could be trouble. Additionally, the more malicious code the file itself contains the greater the probability that anti-virus scanners will identify the code as malicious. Hackers will consequently include a small program within the PDF file, either a shell script in native machine code or JavaScript code, whose purpose is to download and execute malicious programs from a remote website. Security researchers locate this code to find the website hosting the bulk of the malware.
-
Malware Hosting
-
After security researchers locate the website and file name of the malicious program, they can download the code into a secure sandbox for analysis. By putting the malware in a sandbox, researchers allow the code to execute as normal but know that the commands will have no effect on the computer. Analysts then understand how the malware works by looking at what it tries to do to a computer and studying the machine code of the malicious program itself. Such an analysis can lead to finding operating system vulnerabilities of which security researchers were previously unaware, as well as the malware's purpose. This could be to use the computer as a proxy for illegal activities, install keyloggers to steal personal information, or turn the infected computer into a node on a botnet.
Vulnerability Location
-
While security researchers want to understand the primary malware program, they also want to understand how the hacker makes the PDF reader execute that code. The initial PDF exploit is how the hacker tricks the reader software into initiating this process. Malware writers often do this by forcing an internal software error, such as a legitimate call to a resource that doesn't exist, to make the reader program malfunction. When hackers identify a malfunction that causes the software to call up object files it would not normally execute, they have found a vulnerability to exploit. Security researchers identify these holes so that software writers can close them.
-
References
- "Hacking: The Art of Exploitation"; Jon Erickson
- Symantec: The PDF Exploit: Same Crime, Different Face
- Softpedia: New PDF Exploit Hiding Technique Tricks Antivirus Engines
- ComputerWorld: Hackers Love to Exploit PDF Bugs, Says Researcher
- Photo Credit Thinkstock/Comstock/Getty Images
