11

There have been questions on safe viewing of malicious PDFs on OS. I would like to know if it's okay to directly open them to view them in a Linux OS because the OS is said to be secure and malware-proof most of the times. I am working on a project to detect malicious PDFs. Should I work only on a VM or not open the file at all but work only on the source code?

BlackSwan
  • 213
  • 2
  • 7
  • While this won't necessarily help with _detection_, you can convert it into a different and simpler, difficult-to-exploit format (such as a series of bitmap or pixmap images). The conversion can be heavily sandboxed, e.g. using mode 1 seccomp. The images could then be viewed un-sandboxed. – forest Feb 03 '18 at 04:37
  • Open with *what*? Adobe Acrobat? Probably not. Vim? Yes. – Martin Schröder Feb 05 '18 at 08:46
  • If you are paranoid, you can download PDFs, convert to PDF using some utility software and open resulting PDF. It's more secure that way. The conversion process should scrap embedded items, if any. – anonymous coward Feb 12 '19 at 15:16

3 Answers3

19

To say Linux is malware-proof most of the times is incorrect, it's just that much malware focuses on other OS'es (but there is nothing preventing an attacker from targeting more than one OS). Avoid opening the PDF on your box unless you are absolutely sure the malware wasn't written for and won't execute in Linux.

If you are trying to perform analysis then use a sandbox, such as Cuckoo. With that said, some malware is sandbox aware and will try to avoid detection/analysis.

user169339
  • 346
  • 2
  • 6
  • 1
    I'm sure there's plenty of malware targeting Linux *servers*, but it tends to be more about remote exploitation than about opening infected files. – user253751 Feb 03 '18 at 02:54
  • Wouldn’t a live CD/DVD be even better than using a VM or sandbox? Particularly sophisticated malware could escape the sandbox with another vulnerability, couldn’t it? – caw Feb 03 '18 at 15:39
  • @immibis Actually, opening infected files is a good way of remote exploitation. Think about libjpeg vulnerabilities and image hosts which resize images … :-). Same could go for things which process PDF files in a non-trivial way. I would not bet on the distinction between server and non-server in any case. – Jonas Schäfer Feb 03 '18 at 17:10
  • @JonasWielicki It can't be easily and reliably automated though. If you want to pwn a server using an infected PDF, you'd want to send it to the server admin, unless they happen to be running a service that transcodes PDFs to images or something. Whereas e.g. remote WordPress exploits work automatically. – user253751 Feb 03 '18 at 23:22
6

Whether or not the PDF is safe to open depends on whether or not your environment (i.e. Linux and your PDF software) is vulnerable to the exploit. Linux is not malware-proof; it just happens that most malware targets Windows.

However, conclusively determining whether or not an unknown, malicious PDF will affect you is difficult.

To do thorough research, you should probably view the PDF in a VM or sandbox, examine the exploit's behavior in a sandbox, and try to read their source code. The more the merrier! I wouldn't open them directly in your real OS; not worth the risk.

bendodge
  • 161
  • 3
1

I would not say it is secure to open simply because it's on Linux. I suggest using a sandbox solution for automated analysis, like Cuckoo Sandbox (https://cuckoosandbox.org/) for example. It sounds that like could be a way forward for you.

Suedish
  • 131
  • 3