Posted: 23 May 2010 06:00 PM PDT

Attacks employing poisoned PDF files have leaped to the top of the threat list, according to statistics from major security companies. Symantec reports that suspicious PDF files skyrocketed in 2009 to represent 49 percent of Web-based attacks that the company detected, up from only 11 percent in 2008. The next-most-common attack, involving a good old Internet Explorer flaw, was far behind at 18 percent.

In a typical scenario, crooks might hijack a legitimate site and insert a PDF file made to exploit flaws in Adobe Reader. They then link to that PDF via social-engineering lures such as spam or comments on a blog or social network. Even astute users who check the link would see a legit domain. Not knowing the site was hacked, they would be more likely to download and open the file.

Now, a new threat allows for launching malware hidden inside a PDF file. In this type of attack, discovered by researcher Didier Stevens, opening the PDF file triggers an attempt to install the malware. The action causes Adobe Reader to produce a confirmation pop-up, which gives you a chance to halt the attack by clicking the 'Do Not Open' button--but Stevens found that attackers could tweak the pop-up's message. His example reads, "To view the encrypted message in this PDF document, select 'Do not show this message again' and click the Open button!" Using such a message, attackers could allay potential victims' suspicion.

Here's the kicker: This embedded-file threat makes creative use of functionality built into the PDF standard. As such, it works not only on Adobe Reader but on other PDF readers, too, even if they're up-to-date. The makers of the Zeus Trojan horse are already using this new technique to spread their evil software.

How to Fight the New Threat

Changing a program setting in the current version of Adobe Reader can help. Head to Preferences, Trust Manager, and deselect Allow opening of non-PDF file attachments with external applications. See the Adobe Reader Blog for more details.

The latest 3.3 update for the Foxit PDF reader also has a new Safe Reading setting--enabled by default under a new Trust Manager section in the preferences--that likewise blocks embedded programs from running.

Since traditional PDF exploits almost always hunt for one of the many holes in Adobe Reader, using an alternative PDF program is a good idea. But it's no guarantee of safety. When the embedded-file attack first surfaced, Foxit didn't even display a confirmation pop-up--it simply allowed the attack to proceed. Whichever reader you use, it's vital to keep it up-to-date. Both Adobe and Foxit are working on new security features to further mitigate the embedded-file risk.

Finally, a good antivirus program may stop a malicious PDF before it can launch an attack. And VirusTotal.com is excellent for scanning any downloaded or e-mailed file with a multitude of antivirus engines. Regardless, always back up your defenses with your own good sense.

Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction.

Facebook malware promises beach babes, delivers virus

Posted: 24 May 2010 02:42 AM PDT

Another attack using rogue Facebook applications hit users' PCs Saturday in a virtual repeat of last weekend's massive assault, security researchers said. Like the earlier attack, today's scam uses a sex-oriented video as bait, said Patrik Runald, a Australian researcher who works for Websense Security.

The scam is spread through Facebook messages touting "Distracting Beach Babes" videos that include a link to the malicious applications, Runald wrote on his company's blog. Users who click on the link are asked to allow the application to access their profiles, and let it send messages to friends and post it on their walls. Once approved, the application instructs users to download an updated version of FLV Player, a popular free Windows media player, to view the video.

This new attack is almost identical to the one that generated several hundred thousand malicious software reports to antivirus vendor AVG Technologies a week ago. On Saturday, Graham Cluley, a senior technology consultant at UK security firm Sophos, put the number of attacked Facebook users in "the thousands."

Facebook considers censorship in Pakistan | Facebook and MySpace sharing private data with advertisers | Facebook to fix privacy hole

Neither Runald or Cluley could confirm the nature of the malware that masquerades as FLV Player, but both suspected that because of the similarity to last week's attack, it was most likely the result of the notorious Hotbar adware, a toolbar that inserts itself into Internet Explorer and displays popup ads and links.

"I'm beginning to wonder if the cybercriminals deliberately launch these campaigns on the weekends, imagining that anti-virus researchers and Facebook's own security team might be snoozing," said Cluley on the Sophos blog. Facebook did not reply to a request for comment Saturday, and its security page had no mention of the latest attacks.

According to Runald, Websense has identified at least 100 different malicious applications used in the two weekend attacks.

Facebook users have used the service to warn others of the ongoing attacks. "Hey guys whatever you do DO NOT click on the post that appears on your wall, doing so will result in all of your Facebook friends being sent the virus," one such message said.

Runald and Cluley spelled out in their blog posts how users who installed the rogue Facebook software, but who did not take the final step and fall for the fake FLV Player download, can remove the bogus program from their application settings page.

Searches conducted on Facebook at 4:30 p.m. ET for the malicious application that Ronald identified came up empty, implying that Facebook had removed it from the site.

Five Filters featured article: The Art of Looking Prime Ministerial - The 2010 UK General Election. Available tools: PDF Newspaper, Full Text RSS, Term Extraction.

Poisoned PDFs? Here's Your Antidote

Posted: 23 May 2010 07:10 PM PDT