PDF可夹带后门, 2007 new virus in PDF files






英国一名安全研究员已经发现,利用Adobe PDF文件中的合法功能来打开计算机后门的方法。

    入侵测试专家David Kierznowski已经公布了代码,以证明Adobe阅读器程序可以被用来发起用户毫不察觉的计算机攻击。

    第一个后门存在于Adobe Reader当中,当给PDF文件添加一个恶意链接以后,用户打开这个文件时,浏览器就会自动加载这一链接。Kierznowski说:“从这一点来说,任何恶意代码都能够被这样加载。”

    第二个漏洞出现在Adobe Systems的“Adobe数据库连接”以及Web Services功能支持上。攻击者可以通过网络服务发送信息到数据库当中去。




On Tuesday morning, Network Associates' McAfee antivirus division became aware of the first virus--known as "Peachy"--that uses PDF to spread, said Vincent Gullotto, senior director of McAfee's Avert group.

Fortunately, those who are simply viewing a PDF, or Portable Document Format, file aren't vulnerable. The virus spreads only by way of Adobe's Acrobat software--the program used to create PDF documents--not through Acrobat Reader, the free program that is used to view the files.

"There is no way for this to affect Acrobat Reader," said Adobe's Sarah Rosenbaum, director of Acrobat product management. "The code in Acrobat that recognizes attachments does not exist in Reader."

Peachy exploits an Acrobat feature that allows people to embed other files within a PDF--attachments that can be opened only by people using Acrobat.

"Right now it's considered to be a low risk because we haven't seen it reported to us from a customer," Network Associates' Gullotto said.

But the Peachy virus raises the issue that PDF files--widely used to display documents within Web browsers and e-mail--could become a new channel for spreading viruses.

"What I'm concerned about here is that this could be a new frontier," said Richard Smith, chief technology officer of the Privacy Foundation. "It's considered to be a safe file format." Smith posted news of the virus to the Bugtraq security mailing list Tuesday.

It's clear that if Adobe modified future versions of Reader so that it could read attachments embedded in PDF files, the program could fall victim to Peachy's descendents.

Rosenbaum said that while it's possible Adobe might add attachment-handling capability in future editions of Acrobat Reader, the company has no immediate plans to do so.

Smith said he believes Acrobat Reader software could prove susceptible in any case. Indeed, the Computer Emergency Response Team posted news of a vulnerability in the Windows version of Acrobat in November 2000 that could let an outside attacker gain control over the computer of a person who simply viewed a PDF file. Adobe patched that hole.

Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that threshold.

"I think the attraction...has reached a critical level recently," Rosenbaum said. "It's only been in the last 18 to 24 months that PDF...use has really exploded."

How Peachy works
Acrobat lets people embed different file types within a PDF, including everything from the VBScript programs--used in the LoveLetter virus--to an actual executable program, Gullotto said.

Peachy is named after a small game in a PDF file that involves finding peaches, Gullotto said. According to a person called Zulu, who said he wrote Peachy, showing the solution to the game runs a VBScript file.

The virus then spreads to others using e-mail addresses collected from Microsoft Outlook, Gullotto said. Hiding the VBScript file in a PDF document bypasses the filters in newer versions of Outlook that ordinarily screen out VBScript files.

However, these more recent versions of Outlook, such as Outlook 2002 or those that have been patched with a security update, do take measures that hamper viruses such as Peachy, said David Jaffe, lead product manager for Microsoft Office. Although PDF files--and whatever embedded programs are hidden in them--aren't screened out, Outlook warns the user when a virus or other automated process tries to access Outlook's address book or use the program to send e-mail, Jaffe said.

Through an agreement with Adobe announced in June, McAfee's software can scan PDF files, Gullotto said. However, as with other virus types, the software isn't always able to catch new viruses until its definitions are updated.

Updated virus descriptions released by McAfee next week will be able to detect Peachy, Gullotto said.

But Adobe doesn't currently plan to prevent VBScript or other files from running.

To prevent Peachy from being able to run, "the change we would have to make is not to allow VBScript attachments. That is a problem for a lot of our customers," Rosenbaum said. "If they change their opinion, we will do what they want."

People with the full version of Acrobat will have to exercise caution when opening attachments to PDF files. However, opening attachments isn't automatic: A cautionary dialog box asks if a person wants to proceed.



昵 称:
验证码: *看不清楚?请点击刷新验证码
内 容:
登陆回复 ( 虽然发表评论不用注册,但是为了保护您的发言权和更多功能的编辑器,建议您注册然后登陆回复. 字数限制 1000 字)