One of the latest PDF attacks is using more sophisticated shellcode, making analysis of malware more difficult for security researchers while slowing antivirus detection.
The attack, detected over the last few days, looks like a run-of-the-mill malicious PDF file, but its coding contains a second layer that doesn't use the Web to download code, making antivirus detection more difficult.
In an interview with SearchSecurity.com, Bojan Zdrnja, senior information security consultant at Croatia-based security firm Infigo IS, said the malicious code was not working because it was only 38-bytes, but a closer look revealed a second layer written by a savvy malware writer.
"Normally, malicious PDFs like this execute shellcode and then download further things off the Web," Zdrnja said. "This one had everything embedded so it was as stealthy as possible; no connections are made to the Web at all."
Adobe Systems updates:
Active PDF attacks target Reader, Acrobat zero-day vulnerability: Malicious PDF files discovered in the wild spread via an email attachment and target a yet-to-be patched hole in Adobe Reader and Acrobat.
Adobe updates Flash Player, fixes seven serious vulnerabilities: Adobe Flash Player 10.0.42.34 repairs memory corruption errors and a data injection vulnerability that could enable an attacker to crash the player and take control of a machine.
Zdrnja said the sophisticated coding is alarming and something that researchers will be tracking in 2010.
"I'm also worried with the fact that the attacker tried to make this as stealthy as possible since the malicious PDF document drops another, benign PDF document so the victim does not become suspicious," he said. "I think that we will almost certainly see more of such sophisticated attacks in 2010."
The malware author used an egg-hunting shellcode, which hunts for a block of code in the file to execute, rather than downloading malicious data at the time of a successful attack. The hidden code it uses is contained in a color object within the PDF document. Egg-hunting shellcode is normally used in exploits when there is limited buffer space, Zdrnja said. PDF documents typically give as much space as a malware coder needs. Zdrnja said the use of the technique shows that the author is working harder to avoid detection and stifle malware analysis.
In an advisory, Adobe Systems Inc. said it would issue a patch for the vulnerability during its regular updates scheduled for Jan. 12. The vulnerability being targeted is contained in Acrobat Reader and Acrobat 9.2. In an advisory issued Dec. 15, Adobe said the remote code execution vulnerability is being actively targeted by attackers in the wild via malicious email PDF attachments.