News Stay informed about the latest enterprise technology news and product updates.

PDF attack code complicates security analysis, skirts detection

Only 8 of 40 antivirus vendors can detect the latest PDF attack, which uses sophisticated coding to complicate security analysis and enable the author to push malware updates.

One of the latest PDF attacks is using more sophisticated shellcode, making analysis of malware more difficult for security researchers while slowing antivirus detection.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

The attack, detected over the last few days, looks like a run-of-the-mill malicious PDF file, but its coding contains a second layer that doesn't use the Web to download code, making antivirus detection more difficult.

In an interview with, Bojan Zdrnja, senior information security consultant at Croatia-based security firm Infigo IS, said the malicious code was not working because it was only 38-bytes, but a closer look revealed a second layer written by a savvy malware writer.

"Normally, malicious PDFs like this execute shellcode and then download further things off the Web," Zdrnja said. "This one had everything embedded so it was as stealthy as possible; no connections are made to the Web at all." 

Adobe Systems updates:

Adobe warns of critical Flash Media Server vulnerability: Adobe issues update correcting two critical flaws in Flash Media Server 3.5.2 and earlier versions.

Active PDF attacks target Reader, Acrobat zero-day vulnerability: Malicious PDF files discovered in the wild spread via an email attachment and target a yet-to-be patched hole in Adobe Reader and Acrobat.

Adobe updates Flash Player, fixes seven serious vulnerabilities: Adobe Flash Player repairs memory corruption errors and a data injection vulnerability that could enable an attacker to crash the player and take control of a machine.

Zdrnja said the sophisticated coding is alarming and something that researchers will be tracking in 2010.

"I'm also worried with the fact that the attacker tried to make this as stealthy as possible since the malicious PDF document drops another, benign PDF document so the victim does not become suspicious," he said. "I think that we will almost certainly see more of such sophisticated attacks in 2010."

The malware author used an egg-hunting shellcode, which hunts for a block of code in the file to execute, rather than downloading malicious data at the time of a successful attack. The hidden code it uses is contained in a color object within the PDF document. Egg-hunting shellcode is normally used in exploits when there is limited buffer space, Zdrnja said. PDF documents typically give as much space as a malware coder needs. Zdrnja said the use of the technique shows that the author is working harder to avoid detection and stifle malware analysis.

Zdrnja wrote extensively about his malicious PDF analysis in a SANS Internet Storm Center diary entry. The specific malicious PDF file attempts to target a JavaScript zero-day vulnerability in Adobe Acrobat and Reader. Zdrnja said it drops two binaries - a harmless PDF file, designed to open Adobe Reader and make the user believe the file attachment is harmless and a second file, designed to enable the malware. 

In an advisory, Adobe Systems Inc. said it would issue a patch for the vulnerability during its regular updates scheduled for Jan. 12. The vulnerability being targeted is contained in Acrobat Reader and Acrobat 9.2. In an advisory issued Dec. 15, Adobe said the remote code execution vulnerability is being actively targeted by attackers in the wild via malicious email PDF attachments.

To mitigate the threat, Adobe users can disable JavaScript until a patch is released and avoid opening PDFs from untrusted sources. Danish vulnerability clearinghouse Secunia has given the vulnerability an extremely critical rating.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.