Type to search
Analyze a file Free Tools

Ransomware Exploits: Detecting and Exploiting CVE-2008-2992 in Adobe Acrobat Reader

‹ Blog

Ransomware Exploits: Detecting and Exploiting CVE-2008-2992 in Adobe Acrobat Reader

A vulnerability is a security flaw in an application that attackers can exploit. Vulnerabilities leave software and systems open to all sorts of cyber attacks.

Software vendors repair these vulnerabilities in the form of patches or software updates, but if those updates are not installed by the user, the system will remain vulnerable to exploits. For this reason, vulnerabilities are a major security risk for many organizations. IT administrators and security officers need to be able to quickly detect and assess vulnerabilities present on endpoints in a network.

In this blog post, we will demonstrate how outdated software can be exploited in order to install ransomware, and how to prevent this with the OPSWAT Vulnerability Engine.

Exploiting a Vulnerability to Install Ransomware



For comparison, we used two systems: The first ran Windows 7 and had Acrobat Reader 17.9 installed, while the second one had Windows XP and Acrobat Reader 8.1. We created a simulated "malicious" PDF file which would exploit a vulnerability in Acrobat Reader 8.1, and we used the same file to test both systems. Such a file could be delivered to a victim via a phishing attack, or a number of other methods.

Adobe Reader 8, Adobe Reader 17

Click image to expand

Acrobat Reader 17.9 could safely and successfully open the malicious PDF like normal, without any kind of exploit taking place.

Adobe Reader 17 No Vulnerability Exploit 

Click image to expand

However, when we opened this PDF in the second system with Acrobat Reader 8.1...

Opening Malicious PDF

Click image to expand

...Adobe Reader crashed.

Adobe Reader 8 Crash

Click image to expand

Next, the malware automatically created an executable file and the file executed itself, and then...

Executable File

Click image to expand

...within seconds the executable file encrypted all the files in the system.

Ransomware Encrypts All Files

Click image to expand

Finally, the following pop-up appeared:

Ransomware Pop-up Message

Click image to expand

Basically, the malicious PDF exploited CVE-2008-2992 to cause buffer overflow, executed a script to download ransomware from a server, and then ran the ransomware!

Detect Vulnerabilities with the OPSWAT Vulnerability Engine



Let's try using the OESIS Endpoint Assessment Tool, which integrates with the OPSWAT Vulnerability Engine, to scan the two systems described above.

In the first system, the tool detected Adobe Reader 17.9.

OPSWAT Vulnerability Engine

Click image to expand

Taking a look at the details, we can see that no vulnerabilities were found in Acrobat Reader 17.9.

OPSWAT Vulnerability Engine Adobe Reader 17

Click image to expand

In the second system, the Vulnerability Engine detected Acrobat Reader 8.1.

OPSWAT Vulnerability Engine Adobe Reader 8

Click image to expand

It detected a lot of vulnerabilities in Acrobat Reader 8.1 (identified by CVE ID), and one of them is CVE-2008-2992.


Click image to expand

Key Takeaways

If applications are not fully patched and updated, malicious software – in this example, ransomware – can infect a system in the amount of time it takes to open a document.

This is why it is so essential to gain visibility into all vulnerabilities present on a system; typically, because any given system will have a multitude of applications installed, there will be multiple vulnerabilities of varying severity.

The OPSWAT Vulnerability Engine provides a report on the vulnerabilities present on a system or network within just a few moments.

Learn more about the OPSWAT Vulnerability Engine here.

Vinh Lam
Software Architect

Vinh Lam joined OPSWAT in September 2012 as the Vietnam Metadefender (formerly Metascan) Team leader. He quickly took ownership of the engineering aspects of the Metadefender product and has immensely contributed to its success. Vinh has been a leader and a contributor to the Metadefender, Metadefender Cloud, and data sanitization product lines. Before joining OPSWAT, he worked at a startup for five years, where he built a Vietnamese search engine that is used by major companies in Vietnam such as Zing. He graduated from the University of Natural Science in Vietnam.

ransomware Vulnerability Engine CVEs Vulnerabilities

Follow Us

Get our latest research and news in your inbox monthly