Malicious Email Attachments – Protection from Infected PDF files
Infected PDF files continue to plague security personnel responsible for detecting and containing malicious email attachments.
Cybercriminals use many different tactics to breach an organization’s network defenses, and delivering infected PDF files, typically via email, remains a very common and dangerous threat. Unfortunately, Secure Email Gateways (SEGs) are not effective in preventing advanced forms of PDF malware, and organizations need to augment their email security with technologies that specialize in detecting and preventing malicious email attachments.
Why Are PDF Files So Dangerous?
We tend to think of PDF files as documents, but in reality, they are much more than that. The PDF file format is very sophisticated and powerful. In addition to containing text and images, and causing a reader to display that content, PDF files include the ability to execute code on your device—and that’s where the real danger lies. PDF files support numerous methods for controlling your PC, smart phone, or other device, including:
- System Commands: PDF files can execute virtually any system command. Adobe Reader now contains a blacklist that restricts what commands a PDF can launch, but outdated versions of Reader or other PDF viewers don’t prevent malicious files from exploiting this security weakness.
- Hidden Objects: PDF files can contain other embedded and encrypted PDF files. This enables attackers to hide malicious PDF files inside other PDF files, fooling SEGs and antivirus scanners by preventing them from evaluating the encrypted PDF. When the file is subsequently loaded, it executes the embedded and malicious PDF.
- Embedded Flash: Malicious PDFs frequently contain Flash content, which can exploit any vulnerabilities in Flash itself, potentially leading to a data breach. Unfortunately, Flash is historically insecure, so it’s a common threat vector. According to DARKReading, Flash vulnerabilities dominated cyberattack exploit kits throughout 2016.
- Embedded Media Controls: In addition to Flash, PDFs may contain media for QuickTime, RealPlayer, or Windows Media Player. This allows a malicious PDF to exploit vulnerabilities in these multimedia players.
- Embed Any File: There are many more features in the PDF file format that increase its attack surface, including the ability to embed any file inside a PDF. This has the potential of enabling attackers to launch virtually any application that exists on the victim’s device, and exploit any vulnerabilities those applications may have.
With the numerous ways in which cybercriminals can manipulate a PDF file, it’s no wonder that they find new and creative techniques to effectively use them against us.
SEGs Don’t Detect Modern Malicious Email Attachments
Conventional SEGs address legacy email attachment threats such as known viruses, Trojans, and spam. However, they are unable to detect and stop today’s evasive malware that is specifically designed to bypass detection from SEGs, legacy sandboxes, and other traditional security systems. With a million new variants of malware introduced daily and the use of dynamic domains and URLs, advanced malware easily evades email filters that rely on previously known bad signatures, URLs, and domains.
Adding to the challenge, sophisticated malware can tell when a conventional sandbox is evaluating it. To avoid detection, the malware will defer executing any malicious behavior and the sandbox will categorize it as non-malicious. See Lastline’s blog “Traditional Security Solutions Can’t Detect Evasive Malware”.
Lastline – Protection from Infected PDF Files
Analyzing your company’s email for the latest and most evasive forms of malware is one of the simplest and most effective ways to increase your overall security posture. But you can’t rely on your secure email gateway to do that on its own.
To combat the numerous email-based assaults that utilize infected PDFs, it’s crucial for companies to augment their SEG with a comprehensive solution that is specifically designed to detect the most advanced and evasive forms of malware. You can deploy Lastline as a complementary layer of defense to enhance your SEG investments and protect your organization from the latest and most sophisticated malware. Lastline works with your existing email system, whether it is in the cloud or on-premise, to protect your organization from the latest and most insidious forms of malware.
Lastline is quick and easy to deploy. It’s already integrated with leading SEG products, and security personnel can enable advanced malware analysis in a matter of minutes. Alternatively, deploying Lastline sensors by means of a network tap enables monitoring of SMTP traffic without requiring any integration with other products. In this scenario, Lastline sensors extract and forward inbound mail and attachments to Lastline’s advanced malware detection engine for comprehensive analysis.
Also see “Protecting Email from Evasive Malware”.
The PDF file format is one of the most popular and common document types in existence. It’s flexibility, versatility, and power is without a doubt what drives its success. However, these features also make PDF files dangerous tools in the hands of cybercriminals. Over the years we’ve seen hackers use them in a multitude of ways, and we can expect that to continue.
Fortunately, modern security tools can detect and block malicious email attachments, including infected PDF files.
To learn more, see Lastline Breach Detection Platform.
Latest posts by Brian Laing (see all)
- Protection from Malicious Links - September 22, 2017
- Drive-By Downloads and How to Prevent Them - September 21, 2017
- Combining Lastline and Carbon Black for End-to-End Malware Analysis - September 14, 2017