Trusteer Warns of Impending Wave of PDF malware attacks

A structural flaw in the Adobe PDF format - which is widely used to distribute documents across multiple computing platforms - can be exploited to install almost any malware on a user's computer.

And says Trusteer, the browser security and fraud prevention specialist, security researcher Didier Stevens' demonstration (http://bit.ly/bDVf7W) of a multi-stage misuse of Adobe `/Launch' function - which is part of the PDF feature set - poses a potentially serious threat to organisations and individuals.

The demonstrated attack allows criminals to embed a malicious executable file inside a simple PDF file. When the user opens the PDF the malicious executable runs.

"Whilst Acrobat Reader normally display a warning that an executable inside a PDF file is being launched, Stevens appears to have found a way to modify the alert and fool users into approving the action," said Mickey Boodaei, Trusteer's CEO.

"Our research team were quickly able to replicate Didier's findings and there is every reason to believe this exploit will be added to the multi-exploit Adobe hacker toolkits in use by cybercriminals," he added.

As a result of this potentially very serious attack vector on Acrobat and Reader, Trusteer is advising all users disable the function of running PDF-embedded attachments within Adobe's software. This, he notes, can be achieved quite easily from the settings option within the software or, as Adobe has advised in a security blog, by a direct Registry setting change (http://bit.ly/b29yXB)

Boodaei says he anticipates that cybercriminals and hackers will try to exploit this structural Adobe issue using social engineering techniques, which lure Internet users into a false sense of feeling safe. Social engineering, he explained, is becoming an increasingly important tool used by criminals.

“Many security solutions such as antivirus and personal firewalls rely on Internet users to make the right choice,” he said. “They present technical messages that are hard to understand and expect users to decide what to do with them. Acrobat Reader works similarly by expecting Internet users to understand the security implications of running an embedded file. Stevens' attack makes it harder for users to make the right choice as it allows criminals to tamper with the message that Acrobat presents and use social engineering techniques to convince users to take the wrong choice.”

"Over the last year we've seen criminals effectively using social engineering attacks to by-pass various security systems such as two-factor authentication, transaction verification, and desktop security," he said.

For example, he says, with transaction verification criminals are now using man-in-the-middle and man-in-the-browser attacks to change messages on banks' Web site and convince customers to approve fraudulent transactions. Instead of presenting the normal instructions for approving a transaction criminals change the webpage to include instructions on how to approve a fraudulent transaction. Most users just follow instructions and look for the easiest and quickest way of getting something done. They don’t stop to think if every step they make is a reasonable behavior.

Going forward Boodaei says that financial institutions and enterprises should evaluate the vulnerability of their security systems to social engineering attacks and consider measures to protect against it.

"Internet users can do their part by installing a browser security layer such as Trusteer's Rapport software (http://bit.ly/aRw8sj), which is offered as a free download by banks such as HSBC, RBS/NatWest and the Santander Group. This will help to protect their online banking account sessions."

Trusteer enables online businesses to secure communications with their customers over the Internet and protect personally identifiable information (PII) from a user's keyboard into the company's Web site. Trusteer's flagship product, Rapport, allows online banks, brokerages, healthcare providers, and retailers to protect their customers from identity theft and financial fraud. Unlike conventional approaches to Web security, Rapport protects customers’ PII from malware including Trojans, keyloggers, and pharming and phishing attacks. Trusteer is a privately held corporation led by former executives from Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit www.trusteer.com.

Source: Eskenzi PR