XDP can Avoid AV Detection

Tuesday, June 19, 2012 @ 11:06 AM gHale


Attackers can stave off detection of most common antivirus (AV) software if they encode malicious PDF files in the XDP format.

XDP is an XML-based file format which includes the PDF as a Base64-encoded data stream. Adobe Reader will open XDP files just like a normal PDF and can therefore infect systems in the same way, said security researcher Brandon Dixon.

RELATED STORIES
U.S. PCs Lack AV Protection
Avira Updates Antivirus
RTFs Fall Victim to APTs
Security a Weak Link for States

Antivirus software can be relatively easy to fool, but the idea simple encoding can get through is interesting.

In Dixon’s test document, which uses a two-year-old security vulnerability in Adobe Reader, one antivirus package detected the exploit. After experimenting with the XDP format, he was able to create another file that fooled all 42 antivirus engines used on VirusTotal.

Adobe patched the exploit Dixon used quite a while ago.

“The exploit is old,” he said. “The JavaScript is not encoded. This should be fixed.”

To make sure their networks do not suffer an attack, users should avoid XDP files in general until Adobe patches its software or the antivirus companies fix their detection methods. A commenter on Dixon’s blog did say this kind of exploit has been out in the industry since the beginning of last year.



Leave a Reply

You must be logged in to post a comment.