In-depth Analysis of PDF Security

PDF, a portable file format, had gained popularity among general users due to its extensive features, portability and availability of free tools to read and author the documents. With the increasing popularity this file format has gained among the general users, it has also become vulnerable to various malware which exploit the document for executing malicious attacks, and which uses the PDF files as malware depositing source to attack specific item or even the entire system.

Over the last three or four years, PDF malware have become increasingly devastating for computer security. The reason behind this increasing success is the achievement of blackhat community in attaining the hand-full of PDF distribution with which various malicious PDFs are being utilized to jeopardize the computer’s security. Before going into the depth of the PDF security system, let’s get a closer look at the different distribution channels, the attackers use to deposit malware in the computer. Among a variety of different PDF distribution channels, three dominating channels are Mass-Mailing, Drive-By Downloads, and Targeted Attacks.

In mass-mailing PDF distribution technique, a user is lured to open an email and receives the malware unsuspected by downloading the attached PDF file in the email. These kind of spam emails contain major subjects like IRS emails, Political or current affairs or any controversial subjects. While, drive-by -downloads deposits the malware into the system when the user visits an infected website and downloading a hosted PDF file. Malware authors utilize web exploits packs to trigger malware creation on websites. The hosted PDFs contain shell codes which on being executed download malicious content from the internet. In contrast, PDF targeted attacks are directed to individuals or organizations to give themselves a disguise of an authentic source which, consequently, will enable the user to launch the PDF file attached. What makes targeted attacks relatively successful is the use of zero-day exploits which renders the victim unaware of the fact that his system’s security is at stake.

Now, to make matters worse, each distribution channel uses different exploit techniques which are classified into two categories, namely: JavaScript based exploits and Non-JavaScript based exploits. Now, almost all the PDF exploits are utilizing JavaScript in different forms because of its use of a malicious code called heap spray code (a JavaScript code that is executed at first to set up the process memory of the reader with a shell code which as a result exposes the system to the malicious attack).

Utilizing exploit techniques in different PDF distribution methods might have given the antiviruses and malware detection products to detect the presence of malicious PDF or the attack incorporated within the PDF file. To evade the possibilities of coming into antivirus detection, Malicious Acroform Stream is utilized by malware authors. This kind of evasion method misleads the user to believe that the malicious PDF file is simple a corrupt file and crashes the PDF reader so that it keeps on working in the background and remains undetected from both the user and the virus detecting product.

When your system’s security is jeopardized and various significant items are exposed to vulnerability, what can you do to protect your system to be infected with malicious content?

A bundle of considerable protective actions can be taken by the user which may keep his system safe from possible targeted or un-targeted attack from malware authors.

First and the foremost way to avoid system infection are keeping it up-to-date with all applications and softwares patches for your PDF reader. Second of all, keep your virus-detecting product up-to-date. Wherever possible, disable JavaScript so that the JavaScript based exploits may be prevented. Last but not the least; considerable discretion should be exercised while executing a PDF document from an untrusted location.