Resources & Publications

29 September 2014

Invasion of Document Malware

Computer users have had to contend with the threat posed by malware since quite early in the computer age. Infected floppy discs became carriers of viruses and worms. With the advent of the world wide web executable files were transmitted through e-mail and files placed on websites , and thus infiltrated into users’ systems. However these attacks were not very difficult for IT savvy users and computer professionals to avert. Such dangerous types of files could be filtered out from e-mail and network gateways while allowing files considered safe such as Microsoft office documents.

However with new versions of Microsoft office and other documents such as Adobe PDF coming out they were enhanced with features such as macro and scripting capabilities. These features provided enhanced functionalities to users such as collaborative editing of documents and rights management. Such developments made the documents similar to executable programs, running process and installing code snippets on other systems. The new threat emerged with the Melissa virus of 1999, which spread by exploiting the macro capabilities in Microsoft Word. Document based malware is all the more dangerous because users who will be careful about running downloaded programs often are not conscious of the risks that documents may carry. The simplest way in which document based malware spreads is by way of a document attached to a dubious e-mail. This usually takes the form of a spam or phishing e-mail with an attached document claiming to be one the user asked for. Though this ruse is a basic one it is often successful. Documents downloaded from websites or search results that lead directly to a document are other sources of infection. PDF documents are particularly vulnerable to being sources of malware or to being infected. When a malicious PDF is downloaded, a decoy innocuous PDF file is often displayed to hide what has taken place from the user.

Malware hidden in a PDF document can call other malware in the internet which will then be down loaded and installed in the system without the user’s knowledge. Some malware can be used to steal information from your system . Others known, as botnet software, can use computer as a base to mount malware and spam attacks on other computers and networks. Ones such a process starts even legitimate PDF documents on the web can be infected by malware. One sophisticated form of PDF malware used weaknesses in PDF and Adobe Reader to launch dialog boxes. Many unsuspecting users will automatically click ‘OK’ in a dialog box.

What steps can you take to protect yourself from document base malware? There is no way to guarantee complete security. However, the first step is awareness of the risk. Many users fall into the trap because they are simply ignorant of document based malware. Always be cautious when downloading or receiving documents, especially PDF files. It is also essential that you keep all your software up-to-date; operating system, document software, anti-virus and security tools. Vendors, especially Adobe, are constantly trying to patch the security holes in their system though they are finding it difficult to keep up with malware writers. E-mail and gateway platforms can also provide security against attacks.

Another option is to turn off the scripting and macro capabilities in your document programs. While this can be a safeguard to some extent, this may be at the cost of depriving yourself of many useful features. Further, scripting does not always stay turned off when a new version is installed. There are also some types of malware that will still be dangerous even when scripting is turned off. For example the type mentioned earlier which uses direct system calls to launch dialog boxes.

Recent developments may offer better safeguards against document based malware. Adobe is leveraging Microsoft Practical Sandboxing1, which can protect other areas of the operating system from being accessed and infected by any malicious code that may be found in PDFs. While such developments may reduce the risks in the future users should continue to be vigilant about the risks carried by documents they may download or receive.

For more information: