2

Consider the following situation :
1. Somehow my boss's system got infected with a malware ( He visited one of the Java exploits website).
2. He sends a PDF document containing the requirement document of a new project coming up ( the malware infected this PDF).

My OS and antivirus are all patched. So the PDF will look OK to be opened by me, and I will go ahead and open that PDF.

How do one protect from such type of attacks ? ( AFAIK, operation aurora against google used this technique only).

And considering the PDF sent to me is a confidential business document, I cannot even upload those to sites like virustotal.com so even if it had a 0 day infection, antivirus companies won't be able to create signature of it.

Thanks !

Novice User
  • 2,088
  • 7
  • 26
  • 38
  • Realistically speaking, if your boss's computer is infected and he's sending you "confidential data", your organization has failed to protect itself and confidential data are no more. Chances are your boss's computer has much more valuable information than your own system; whether your computer gets infected is not really important - sorry! – Deer Hunter Apr 12 '13 at 09:13
  • @DeerHunter : its not always true that my boss's system will have more confidential data than mine ..for instance I manage the logins to server so i maintain the list in an excel file having the server hostname's and passwords which can be juicy stuff for an attacker. – Novice User Apr 12 '13 at 14:45

2 Answers2

5

Interesting question. There's a couple of areas that are possible controls for this.

The obvious first place is patching things like Java. It's commonly overlooked in patching processes but with the level of attacks need to get patched as soon as possible.

The next one is hardening. Java applet functionality (which it likely what was exploited here) should be disabled for all general browsing. If it's required for line-of-business applications I'd recommend using a separate browser with it enabled which is only allowed to access those sites.

In terms of detecting the infection in PDFs that's trickier. As you say it probably won't flag to signature based A-V. Potentially some heuristic style detection programs would catch it (as it does things that a standard PDF won't)..

Another possible control is white-list based program execution (e.g. Bit9). If you can get to the point where only trusted programs can run, then it might block malware when it executes (or at least make it much harder for it to do so).

Lastly detective controls are a good option here. The malware will likely make connections out-bound to C&C servers so it might be possible to detect those connections..

None of these options are 100% but things perhaps worth considering.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
3

Some more thoughts, based around your PDF viewer:

  • Ensure your PDF viewer is configured not to execute code.
  • Ensure your PDF viewer is patched and up to date.
  • Use a less popular PDF viewer, since malware writers will tend to target vulnerabilities in the more popular viewers.
  • Use a different OS than your boss, so if the malware has code compiled specifically for his OS it can't run on your machine.
  • Run your PDF viewer with the minimum possible security privileges.
  • Sandbox your PDF viewer (e.g. run it in a disposable virtual machine) so even if it executes code it can't get at anything.
Graham Hill
  • 15,394
  • 37
  • 62