Answer

PDF malware: How to spot, prevent emerging PDF attacks

I've read that PDFs are increasingly being used as part of advanced persistent threat attack campaigns. Could you describe some of the latest techniques attackers use in PDF attacks, and can you suggest tools to use for scanning PDFs for malicious inclusions? Or should antimalware/email scans already be picking up on such threats?

    Requires Free Membership to View

Ask the Expert

SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)

Advanced persistent threat (APT) attack campaigns are likely using PDF files because most regular users assume they are safe to open, as PDFs are widely accepted in both business and everyday email attachments. By using phishing emails masquerading as fax messages, scans from a multi-function printer, delivery notices, etc., the hacker is hoping to entice the user to open the "trusted"-yet-malicious file.

To mitigate these threats posed by PDF malware, it is critical to combine security awareness and technical controls, since neither method will protect all scenarios on its own.  

Simply put, traditional antimalware or email scans will not catch these new PDF malware attacks. However, security tools that open PDFs in a sandbox environment can be used to identify malicious behavior from the PDF.

Additional tools that can be used for scanning potentially malicious PDFs are described by SearchSecurity contributor Lenny Zeltser in his blog post on analyzing malicious documents. These tools can identify potentially infected JavaScript or strings for commands in the file. Once the malicious content has been extracted, it could be analyzed to determine if any external websites have downloaded other malware. Therefore, any PDF that contains JavaScript or accesses a system external to your network should be investigated.

This was first published in November 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: