Feeds

Poison PDF pusher released to public

A quick download, a couple of clicks, a naughty URL and you're in the business of crime

Top 5 reasons to deploy VMware with Tegile

Attacking enterprises just got easier with the development of an idiot-friendly tool that spits out booby-trapped PDFs with a few clicks.

The tool weaves existing exploits into PDFs, allowing attacks against Adobe Reader and Acrobat versions 8.x prior to 8.2.1 and 9.x before 9.3.1.

Users can insert their own URL pointers into the program, which then spits out an exploited PDF. Microsoft's free anti-virus had blocked the attack (CVE-2010-0188) in a test and it was likely other platforms would raise flags too.

Only unpatched users could be effectively targeted, but given the poor state of patching, that provides a pretty big pool of potential victims.

Users could combine the tool with one of many free or paid automated phishing platforms to create the ultimate lazy targeted attack system.

While the black hat uses for the tool were obvious, penetration testers and internal security teams can use it to launch attacks against staff to help improve social engineering awareness and defences.

SecRecon freelance security bod Claes Spett developed the tool while building a private exploit kit to help him pop organisations during penetration tests.

He published the executable to Google Drive, with the usual "at your own risk" caveat, here. El Reg urges users to play responsibly. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.