14 DAY TRIAL // Security researchers from antivirus vendor Sophos warn that malicious PDF files exploiting the /Launch feature present in most PDF viewers have already been detected in the wild. The booby-trapped documents trick users into installing malware on their systems.
About two weeks ago, reputed PDF security researcher Didier Stevens reported that he was able to trigger the execution of arbitrary files from inside PDF documents by abusing the legit /Launch command. PDF viewers theoretically prevent executable files from being opened in this manner; however, Stevens managed to bypass the restriction through some creative hacking.
The downfall is that when the /Launch is called in Adobe Reader, the most widely deployed PDF application, an alert window is displayed and the user is asked for confirmation before performing the action. The security researcher overcame this by replacing the default warning message with some custom text instructing the user to accept the dialog.
"Sophos will generically detect PDF files which use this functionality to run executables. This afternoon, I have just written detection for the first malicious PDF using this technique (Troj/PDFEx-DF)," announced Paul Baccas, virus and spam researcher at SophosLabs, on the company's blog.
The warning message displayed by Adobe Reader when opening the document found by Sophos reads: "This fiel [sic] is damaged. If you want to repair it please press Open(O)." Following the instruction and pressing the Open button is clearly not a good idea and will result in a malicious file called ActiveX.exe (Troj/Agent-MYJ) being dropped in the system32 folder and then executed.
Adobe is due to release a patch that will make abusing the /Launch action impossible. However, Jeremy Conway, an independent security researcher, who previously demonstrated that the same technique can be used to infect clean PDF documents residing on the system, commented that "from all that I can tell it will not address the incremental update issue at all." In the meantime, Adobe has published instructions on how to completely disable the /launch functionality.
