Dropbox disabling links to possible PDF malware, reports Cyren

The distribution sources for potentially malicious documents are actively working to disable their distribution. But a Dropbox security alert seems to indicate that's making customers mad.

Some of the oldest exploits in the history of malware remain potent, claims the latest quarterly report on malware trends from security provider Cyren released Monday in a clear indication that Adobe's method of updating its Reader app for PDF files is not reaching its intended customers.

Because these exploits remain abundant, services including Dropbox that deliver active links to potentially malicious documents are taking active steps to disable access to those documents.

According to the Cyren report, the payload delivered by the most recent batch of malware is quite sophisticated: the latest round of Zbot that installs a stealth backdoor into infected systems, transferring commands in the background. But the triggers that brings that payload onboard, says Cyren's analysts, are maliciously scripted PDF files.

The specific vulnerability was formally identified back in February 2010, and affected Reader versions 9.3 and earlier. Operating system distributors such as SUSE and Red Hat scrambled to patch the problem without waiting for Adobe to do so. Adobe eventually released version 9.3.1 as a patch. The current version is 11.0.07, and a lot of water has passed under this bridge in over four years' time.

But Cyren's report implies--without directly accusing Adobe--that the malicious script is capable of validating the version of the Reader plug-in that's currently viewing it, right up through 11.0.01.

"If successfully exploited, the malicious PDF then executes an embedded shellcode that downloads another malicious executable 'backdoor...' which CYREN detected as W32/Androm.AQ," reports Cyren. "New malware is executed and installed on the user's system, enabling an attacker to take full control of the user's system from any location, at any time, without the user's knowledge."

According to a Dropbox security thread begun last May, an unrelated vulnerability forced Dropbox to begin disabling links. That particular vulnerability dealt not with malware, but with the potential ability for the referrer of a link to gain access to the exact filename of a document being shared between users--a privacy breach, not a malware threat. But it was a public disclosure that Dropbox would disable potentially threatening links in the interests of its customers.

Several subsequent updates in that thread indicate that enough users complained about the disablement policy, that Dropbox began re-enabling links that tests confirmed were not potential privacy breaches. The company also gave users the ability to selectively re-enable those links for themselves. Unfortunately, this may very well have led to situations where PDFs disguised as payroll messages had their links re-enabled by their own recipients.

Cyren explicitly reports that Dropbox links were actively disguised as payroll messages, with sender email addresses pointing to the domain. While Intuit, the maker of QuickBooks, acknowledges a wide variety of fake emails purporting to be email messages from Intuit it has yet to acknowledge fake Dropbox messages.

Of course, this brings up an interesting question in itself: Why would employees expect to find payroll messages in their personal Dropbox accounts unless their employers are actively using them to deliver company messages in the first place?

For more:
- see the Cyren Q2 2014 malware trend report
- see CVE's 2010 report on the PDF vulnerability
- check out Red Hat's 2010 security warning
- read the Dropbox security report from May 6, 2014
- read Intuit's security report on fake emails

Related Articles:
New Dropbox for Business gets enterprise-friendly features [FierceCIO]
Sophos: Most companies permit Dropbox, few companies like it
Dropbox VP: People's trust comes first, followed by IT security

Filed Under