Over the last couple of years the focus from cyber criminals on Adobe software has significantly increased. During the first quarter of 2010 Kaspersky Lab found that about 50% of all exploits target Adobe software. Give the popularity of Adobe products, this has a huge impact on the Internet community. About 90% of the exploits attacking Adobe software target Adobe Reader (PDF), while the other 10% target Adobe Flash Player. To compare, fewer than 20% of all found exploits target the next most exploited software - from Microsoft

Why are cyber criminals focusing on Adobe now? I will start by examining the reasons Adobe is the preferred target for exploit writers, as well as the most popular infection vector in targeted attacks. The reasons include the improved security in MS operating systems and applications, the popularity of Adobe software worldwide, some of the technologies Adobe is currently implementing, to name a few. I will also show statistics comparing the popularity of exploits against Adobe software in Asia to the rest of the world.

From there we'll have a look at three of the most popular Adobe software exploits: Exploit.JS.Pdfka.cab, Exploit.JS.Pdfka.byp and Exploit.JS.Pdfka.cvl. After looking at these exploits we'll move on to three of the most popular obfuscation methods that are used in the PDF and SWF format exploits. Demos of how the exploits work and how to analyze them will be shown.

Finally, we will discuss generic detection methods of malicious PDF and SWF files, static and dynamic, as well as a number of suggestions for improvement that Adobe should implement.