Friday, March 05, 2010 10:52 AM cmosby

The Morphing PDF – F-Secure Weblog

Friday, March 5, 2010  
 
The Morphing PDF Posted by Response @ 07:00 GMT | Comments

Just when we thought SEO using Flash was as interesting as SEO poisoning can get, it seems it's getting even sneakier…

Imagine a PDF file posted by someone evil online. Of course, Google being Google, the file is recognized as a PDF.

Joe Corvo

And when we open it, it really is a PDF. No evil codes inside, just a good old vanilla PDF file.

Joe Corvo PDF

Three hours later… Google still says the file is a PDF. Brod (one of our geeky guys here) is attributing this to Google's cache.

Joe Corvo, 3hrs later

But is it really a PDF this time around?

Joe Corvo HTML

It morphed! And it even has different topics this time. Topics which, when you follow them, will lead you to another PDF:

Jay Polhill PDF

At least for a few hours before it becomes…

Jay Polhill HTML

It's a vicious cycle, but a pretty neat trick. Who would suspect a non-malicious PDF file right? At least before it becomes an HTML file. And the end result is a rogue antivirus scam.

Response post by — Christine and Mina

Filed under: , , , ,

Comments

No Comments