News Stay informed about the latest enterprise technology news and product updates.

Flash, PDF are growing malware targets

Security vendor Finjan reports a growing army of cybercriminals are buying cheap toolkits to exploit the Web.

Attackers are finding new ways to stay one step ahead of security, exploiting ubiquitous Adobe Flash applications and PDF files, which many organizations and end users incorrectly assume are safe against compromise.

In its Q4 Web Security Trends Report, Finjan Inc. says its Malicious Code Research Center (MCRC) has found that millions of PCs have been compromised by either Flash- or PDF-borne Web exploits, as crimeware writers widen their attack vectors and find new ways to evade detection and snare user machines.

Flash, of course, is widely used to add animations in ads and other Web page components. The report says Adobe has done a good job of addressing known Flash vulnerabilities -- they're not the problem. The Flash exploits rely on basic Adobe ActionScript functionality to exploit browser vulnerabilities.

As antimalware products become more sophisticated by inspecting JavaScript for malicious code, cybercriminals are using ActionScript to deliver payloads because the Flash file format is binary. Antimalware products can't inspect them easily, so they have to watch script behavior as it executes on the PC, when detection is trickier and the malware is closer to delivering its payload.

Flash malware is commonly delivered through malicious banner ads, which ad content networks serve up. Although most networks inspect the ads for security risks, their efforts are often insufficient. Adobe recommends a simple remedy, but it's often ignored in practice, allowing Flash exploits. A parameter, "AllowScriptAccess," should be set to "never," but is more typically set to "always." This allows ActionScript to inject an IFRAME, which can then pull in malicious content and infect the end-user machine.

"When Finjan looked at some of the top ad networks on the internet, we realized they didn't follow Adobe guidelines," said Yuval Ben-Itzhak, chief technology officer of Finjan. "Leaving the door open letting this interface between flash and the hosting page remain active."

PDF on the other hand, which have long been believed to be a safe file format, can be exploited through a pair of buffer overflow vulnerabilities. Adobe has patches for these flaws, but many machines aren't up to date. Starting with version 1.4, the PDF format includes JavaScript capabilities.

Related information

Web app attacks grow, but developers may fight back: Web application security expert Ryan Barnett explains why Web servers are under attack, whether developers will create more secure code and the benefits of virtual patching.

Spam declines, Web-based attacks rise, says MessageLabs: Spam was down 3.4% in 2008, but attacks on social networks and flaws in websites are rising, according to an annual report from Symantec's MessageLabs.

Hacker server contains thousands of sensitive business, healthcare files: A rogue server controlled by an unsophisticated hacker contained email and web-based data stolen from thousands of personal and business computers.

The problem is exacerbated by the availability of cheap, easy-to-use crimeware toolkits, such as Neosploit and Fiesta, which now include PDF components that enable attackers to obfuscate scripts within PDF files to execute Web exploits.

Signature-based detection is not generally effective against these attacks, so antimalware engines must rely on real-time detection. Finjan recommends updating Adobe Reader with the PDF fixes, and training users not to assume that PDF files are always safe.

Organized crime expands

In general observations, the Finjan report says that organized crime continues to expand its Internet business, using what Finjan calls a criminal-to-criminal model (C2C) using Trojans, silent installations and drive-by downloads. Those $100-$200 off-the-shelf toolkits help make cybercrime more accessible and pervasive. Finjan observed a trend of unemployed IT workers purchasing these toolkits, and expects this trend to grow as the weak global economy persists in 2009.

"We believe that having layoffs in the U.S. and other parts of the world, more people will at least give it a try," Ben-Itzhak said. "More people will become cybercriminals. You don't need to be a professional hacker: These toolkits have really changed the way people are turning to cybercrime."

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.