New PDF Exploit Hides, Then Hits

Tuesday, April 26, 2011 @ 04:04 PM gHale

A new technique used by PDF exploits can evade antivirus detection. This exploit relies on encoding the malicious code as an image object, said researchers at Czech security vendor AVAST.

First encountered a month ago, AVAST officials have seen it used in limited, but targeted, attacks since then.

“This story began when we found a new, previously unseen, PDF file a month ago. It wasn’t detected by us or by any other AV company,” said Jiri Sejtko, a senior antivirus analyst at AVAST.

“Its originating URL address was quite suspicious and soon we confirmed the exploitation and system infection caused by just opening this document. But our parser was unable to get any suitable content that we could define as malicious,” he said.

It turns out that there was no JavaScript stream in this file and PDF exploits normally rely on JavaScript heap-spraying.

Researchers were able to decode, analyze, and eliminate one of the only two objects referenced by an XFA array. Researchers then observed the remaining one required two filters, FlateDecode and JBIG2Decode.

FlateDecode is common, but JBIG2Decode normally decode monochrome image data, and this how attackers chose to store the JavaScript code.

As it turns out, JBIG2Decode can work on any object stream, an unusual behavior the AVAST developers, and probably those from other vendors as well, didn’t anticipate when coding their PDF parser.

This particular file attempted to exploit an older Adobe Reader vulnerability, CVE-2010-0188, discovered in 2010 and patched in current versions of the program.

Leave a Reply

You must be logged in to post a comment.