Advanced Topic of the Week: Preventing Malicious PDF File Uploads

Many reports have indicated that malicious PDFs that exploit flaws in Adobe's Acrobat Reader are the top client-side attack vectors. As indicated in many news stories and backed up by the WASC WHID real-time reporting, planting of malware on websites is a major problem for web site owners. The last thing that they want to do is to serve malicious code to their clients. There are many different methods for adding malicious code to web applications including:

• Adding JS code to pages through SQL Injection - evidenced by stories such as WHID 2010-178: New Mass Injection Attack Targets ASP Websites.
• Malicious Banner Ads - there have been stories where banner ad feeds were used to attack clients - WHID 2010-171: Hackers Push Malicious Ads onto UK Celebrity Gossip Website

Speaking from first hand knowledge gained from monitoring web-based honeypots, I can attest to the drive-by downloading methodology used in a majority of these attacks. They initially inject some small javascript/iframe snippet of code into the application and then they bounce the web web requests around until finally they send the malicious code.

Initial injection into the index.html page:

document.writeln("");

This takes you to the 84.htm page which checks the browser's User-Agent string and then redirects the user to the appropriate following page: