Article

PDF attack code complicates security analysis, skirts detection

Robert Westervelt, News Editor

One of the latest PDF attacks is using more sophisticated shellcode, making analysis of malware more difficult for security researchers while slowing antivirus detection. 

SearchSecurity.com:

To get security news and tips delivered to your inbox, 

    Requires Free Membership to View

click here to sign up for our free newsletter.

The attack, detected over the last few days, looks like a run-of-the-mill malicious PDF file, but its coding contains a second layer that doesn't use the Web to download code, making antivirus detection more difficult.

In an interview with SearchSecurity.com, Bojan Zdrnja, senior information security consultant at Croatia-based security firm Infigo IS, said the malicious code was not working because it was only 38-bytes, but a closer look revealed a second layer written by a savvy malware writer.

"Normally, malicious PDFs like this execute shellcode and then download further things off the Web," Zdrnja said. "This one had everything embedded so it was as stealthy as possible; no connections are made to the Web at all." 

Adobe Systems updates:

Adobe warns of critical Flash Media Server vulnerability: Adobe issues update correcting two critical flaws in Flash Media Server 3.5.2 and earlier versions.

Active PDF attacks target Reader, Acrobat zero-day vulnerability: Malicious PDF files discovered in the wild spread via an email attachment and target a yet-to-be patched hole in Adobe Reader and Acrobat.

Adobe updates Flash Player, fixes seven serious vulnerabilities: Adobe Flash Player 10.0.42.34 repairs memory corruption errors and a data injection vulnerability that could enable an attacker to crash the player and take control of a machine.

Zdrnja said the sophisticated coding is alarming and something that researchers will be tracking in 2010.

"I'm also worried with the fact that the attacker tried to make this as stealthy as possible since the malicious PDF document drops another, benign PDF document so the victim does not become suspicious," he said. "I think that we will almost certainly see more of such sophisticated attacks in 2010."

The malware author used an egg-hunting shellcode, which hunts for a block of code in the file to execute, rather than downloading malicious data at the time of a successful attack. The hidden code it uses is contained in a color object within the PDF document. Egg-hunting shellcode is normally used in exploits when there is limited buffer space, Zdrnja said. PDF documents typically give as much space as a malware coder needs. Zdrnja said the use of the technique shows that the author is working harder to avoid detection and stifle malware analysis.

Zdrnja wrote extensively about his malicious PDF analysis in a SANS Internet Storm Center diary entry. The specific malicious PDF file attempts to target a JavaScript zero-day vulnerability in Adobe Acrobat and Reader. Zdrnja said it drops two binaries - a harmless PDF file, designed to open Adobe Reader and make the user believe the file attachment is harmless and a second file, designed to enable the malware. 

In an advisory, Adobe Systems Inc. said it would issue a patch for the vulnerability during its regular updates scheduled for Jan. 12. The vulnerability being targeted is contained in Acrobat Reader and Acrobat 9.2. In an advisory issued Dec. 15, Adobe said the remote code execution vulnerability is being actively targeted by attackers in the wild via malicious email PDF attachments.

To mitigate the threat, Adobe users can disable JavaScript until a patch is released and avoid opening PDFs from untrusted sources. Danish vulnerability clearinghouse Secunia has given the vulnerability an extremely critical rating.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: