From their blog:
... the Adobe PDF format allows for simple documents to be constructed with as little as a text editor and some off-the-shelf tools. When packaged up with stock heap-spraying javascript to trigger a known vulnerability in a particular flavor of PDF Reader a ready-made malware delivery mechanism results.
...
Opening the document renders an innocent blank page however the embedded JavaScript (if enabled) begins to execute, first decoding itself and then spraying the heap with shellcode in order to gain control of execution, or alternatively, visiting a site which determines the best exploit to server to continue the infection.
You'll notice in Sophos' description one key to this malware is visiting an external site. We've talked about this in the past, but this post is a good reminder about keeping URL databases on the proxy up to date, as well as having real time rating systems for new unclassified websites.
Sophos also offers one other recommendation for helping prevent this type of malware from infecting your site:
Disabling JavaScript handling in your favourite PDF reader is also an excellent way to avoid this particular malware deployment.
And of course anti-virus/malware at the proxy and the desktop doesn't hurt either.
Posts
No comments:
Post a Comment