Infected Malformed PDF Attachments To Emails
We are now seeing lots of infected malformed PDF attachments to emails. The bad guys are changing the method of malware delivery with these emails and attaching a genuine PDF file to the email instead of a zip. These PDFs are malformed and contain a script virus that will infect you if you open the PDF and very likely when you preview it in your browser.
They are using several well known and hopefully fully fixed exploits in older versions of Adobe reader.
They attach what appears to be a genuine PDF file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit and hopefully the most recent one will be safe ( but I won’t guarantee that ) As far as I can tell they are using an exploit from 2013 that was fixed Adobe Security Bulletin (http://www.adobe.com/support/security/bulletins/apsb13-15.html) and an even older one from 2010. Make sure you are using a version of Adobe reader that has been declared free from these vulnerabilities.
We first saw this attack back in February 2014 ATTN: Important notification from HMRC – PDF malware, but it quickly stopped. We started to see this method of attack come back again and really take off over the last couple of days with Amazon Order details – fake document malware and Invoice 951266 – fake PDF malware and today with Barclays – RBS – HSBC- LLoyds outstanding invoice or transaction notification – Important RBS Documents – fake PDF malware
It is vital that you make sure Adobe PDF reader is updated to the latest version 11.0.6 (http://get.adobe.com/uk/reader/otherversions/) and if you use any alternative PDF reader then make sure that is fully updated. The majority of PDF exploits will affect ALL PDF readers, not just Adobe.
I would like to tell you to immediately delete any email attachment that comes with a PDF, but in the real world, that just isn’t possible.
I know we always say don’t open any attachment or file sent to you in an email, but with fake PDF files that is quite difficult. Many companies do send PDF files with invoices or reports and it is just about impossible to tell what is real and what isn’t. It is easy to tell the normal fake PDF that is really a .exe or .scr file (https://myonlinesecurity.co.uk/show-known-file-types/) that has been renamed or had the .exe hidden but it is impossible to know whether a PDF file contains a virus unless you save it to your computer and scan it with your antivirus. Never open it directly from the email.
The bad guys are picking subjects and content for the emails that will persuade or entice an unwary user to open or preview the attachment. Loads of us do order from Amazon or other online companies. At certain times of the year lots of us do get genuine emails from HMRC asking for more details about our online tax returns. Lots of Banks, credit Card companies and other financial institutions do send a PDF statement or a link to a PDF in an email.
If you know you haven’t ordered anything from that company or don’t have a credit card or account with that financial body, then it is quite obvious that it is likely to be a phishing, scam email that will infect you or steal your information or identity. BUT there will always be a user who has ordered from that company or a similarly named company.
The best advice that I can offer is to keep the PDF reader updated to latest version. Make sure your Anti Virus is fully updated. If you get an attachment, then save it to your computer. Do not attempt to open it or read the PDF by clicking on it or previewing it in your email. Scan the saved attachment with your Anti-virus.
At this time we have found one the best ways to protect yourself from this avenue of attack is to save the attachment to your computer & then either scan it at Kaspersky Application Advisor (http://whitelist.kaspersky.com/advisor). or use the Dr Web online scanner widget in the left bar So far they have detected these PDFs as either highly suspicious or declared malware. If it says not found then treat that as a warning that it is a brand new malware that hasn’t yet been analysed
Normally these malformed PDFs do not preview and appear as plain blank pages in Windows 7 and Windows 8. The other thing that will help to avoid being unwittingly infected by these is to Set Adobe reader or any other PDF reader to open PDFs in the program and NOT in your browser. I honestly do not know whether Firefox and Chrome’s ( or Iphone/Android) inbuilt PDF viewers are vulnerable to these exploits, but I see no reason to suppose that they are fully immune. But as far as analysis so far can tell, the actual malware that gets downloaded or installed is windows specific. But be prepared for malware that will run on other Operating systems to get downloaded. The exploits in PDF readers do work in other operating systems apart from windows.
The settings vary for this vary according to your browser:
Internet Explorer
Step1. go to tools/manage addons
Step2. Select all addons in the drop down, look for Adobe PDF reader and then press the disable button.
That way any PDF you receive will only open in Adobe reader itself and not in your browser, so cutting down the risk of any exploit infecting you.
Google Chrome
Step 1: Open Chrome and type “about:plugins” into the omnibox at the top.
Step 2: Scroll down and find Chrome PDF Viewer.
Step 3: Click the “Disable” link to prevent PDFs from loading within Chrome
Firefox see HERE and select use Adobe Reader ( default) or the alternative PDF reader you have installed.
Previewing PDFs in a browser is just too dangerous to take a risk with the current exploits and it is much safer to view them in the application itself which should be sand-boxed to prevent exploits slipping out.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.
Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.