Malicious Email Attachments – Protection from Infected PDF files

Infected PDF files continue to plague security personnel responsible for detecting and containing malicious email attachments.

email 2

Cybercriminals use many different tactics to breach an organization’s network defenses, and delivering infected PDF files, typically via email, remains a very common and dangerous threat. Unfortunately, Secure Email Gateways (SEGs) are not effective in preventing advanced forms of PDF malware, and organizations need to augment their email security with technologies that specialize in detecting and preventing malicious email attachments.

Why Are PDF Files So Dangerous?

We tend to think of PDF files as documents, but in reality, they are much more than that. The PDF file format is very sophisticated and powerful. In addition to containing text and images, and causing a reader to display that content, PDF files include the ability to execute code on your device—and that’s where the real danger lies. PDF files support numerous methods for controlling your PC, smart phone, or other device, including:

  • JavaScript: PDFs often contain JavaScript code—the same language used by web pages to control how your browser displays and gathers information. JavaScript can modify the PDF’s contents and manipulate the PDF viewer’s features in unauthorized ways. Infected PDF documents have exploited numerous vulnerabilities within Adobe Reader and other viewers.
  • System Commands: PDF files can execute virtually any system command. Adobe Reader now contains a blacklist that restricts what commands a PDF can launch, but outdated versions of Reader or other PDF viewers don’t prevent malicious files from exploiting this security weakness.
  • Hidden Objects: PDF files can contain other embedded and encrypted PDF files. This enables attackers to hide malicious PDF files inside other PDF files, fooling SEGs and antivirus scanners by preventing them from evaluating the encrypted PDF. When the file is subsequently loaded, it executes the embedded and malicious PDF.
  • Embedded Flash: Malicious PDFs frequently contain Flash content, which can exploit any vulnerabilities in Flash itself, potentially leading to a data breach. Unfortunately, Flash is historically insecure, so it’s a common threat vector. According to DARKReading, Flash vulnerabilities dominated cyberattack exploit kits throughout 2016.
  • Embedded Media Controls: In addition to Flash, PDFs may contain media for QuickTime, RealPlayer, or Windows Media Player. This allows a malicious PDF to exploit vulnerabilities in these multimedia players.
  • Embed Any File: There are many more features in the PDF file format that increase its attack surface, including the ability to embed any file inside a PDF. This has the potential of enabling attackers to launch virtually any application that exists on the victim’s device, and exploit any vulnerabilities those applications may have.

With the numerous ways in which cybercriminals can manipulate a PDF file, it’s no wonder that they find new and creative techniques to effectively use them against us.

SEGs Don’t Detect Modern Malicious Email Attachments

Conventional SEGs address legacy email attachment threats such as known viruses, Trojans, and spam. However, they are unable to detect and stop today’s evasive malware that is specifically designed to bypass detection from SEGs, legacy sandboxes, and other traditional security systems. With a million new variants of malware introduced daily and the use of dynamic domains and URLs, advanced malware easily evades email filters that rely on previously known bad signatures, URLs, and domains.

Adding to the challenge, sophisticated malware can tell when a conventional sandbox is evaluating it. To avoid detection, the malware will defer executing any malicious behavior and the sandbox will categorize it as non-malicious.  See Lastline’s blog “Traditional Security Solutions Can’t Detect Evasive Malware”.

Lastline – Protection from Infected PDF Files

Analyzing your company’s email for the latest and most evasive forms of malware is one of the simplest and most effective ways to increase your overall security posture. But you can’t rely on your secure email gateway to do that on its own.

To combat the numerous email-based assaults that utilize infected PDFs, it’s crucial for companies to augment their SEG with a comprehensive solution that is specifically designed to detect the most advanced and evasive forms of malware.  You can deploy Lastline as a complementary layer of defense to enhance your SEG investments and protect your organization from the latest and most sophisticated malware. Lastline works with your existing email system, whether it is in the cloud or on-premise, to protect your organization from the latest and most insidious forms of malware.

Lastline is quick and easy to deploy. It’s already integrated with leading SEG products, and security personnel can enable advanced malware analysis in a matter of minutes. Alternatively, deploying Lastline sensors by means of a network tap enables monitoring of SMTP traffic without requiring any integration with other products. In this scenario, Lastline sensors extract and forward inbound mail and attachments to Lastline’s advanced malware detection engine for comprehensive analysis.

Also see “Protecting Email from Evasive Malware”.

In Summary

The PDF file format is one of the most popular and common document types in existence. It’s flexibility, versatility, and power is without a doubt what drives its success.  However, these features also make PDF files dangerous tools in the hands of cybercriminals.  Over the years we’ve seen hackers use them in a multitude of ways, and we can expect that to continue.

Fortunately, modern security tools can detect and block malicious email attachments, including infected PDF files.

To learn more, see Lastline Breach Detection Platform.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing