Security researchers have identified a new trick in PDF files being sent as email attachments that obfuscate attack code by encoding it inside an image file.
Malicious PDF files are using a new trick to avoid detection
by almost all major antivirus scanners on the market, according to security
Researchers from Avast and Sophos independently noticed PDF files
making the rounds in March that weren't being flagged as malicious but had
the ability to compromise a machine just by being opened. The originating address
was often suspicious, and the attachments accompanied emails purporting to be
an order receipt. The attachments themselves often had names containing the
supposed order number.
When the attachments were opened under Adobe 8.1.1 or Adobe
9.3, the compromised computer would connect to a remote site and download
malware, usually SpyEye, ZBot or FakeAV,
, a senior threat researcher at Sophos Labs, wrote on the company's
Naked Security blog on April 15.
"The PDFs did not seem to be using any exploit that I could
see and yet they were downloading malware," wrote Baccas.
It turned out these files were using a new trick to
re-exploit the CVE-2010-0188
vulnerability Adobe had patched over a year ago on
Feb. 16, 2010, according to Baccas.
The exploit is specific to Reader and would not execute in
Google Chrome's PDF Plugin, Jiri Sejtko, a senior virus analyst and researcher
at Avast Software
, wrote on the company blog April 22. While that's a good
sign, Chrome generally asks users if it should open the file in Reader if it
can't display the file correctly. In this day and age, many users would likely say yes, making them vulnerable, according to Sejtko.
The PDF specifications allow several filters to be used on
raw data, either singly or in conjunction with each other, Sejtko said. Anyone
can create valid PDF files where the data uses five different filters, or even
multiple layers of the same filter. This allows malware authors to embed
malicious code deep inside the filters, out of reach of even the most
"Our parser was
unable to get any suitable content that we could define as malicious," Sejtko
Files exploiting this vulnerability normally use an XML file
that contains the raw data for a TIFF image file containing highly obfuscated
code, Baccas said. In this case, the attackers were using parameters to control
how the filters operate and crafting the attack code embedded in the raw data to
conform to these parameters.
The filter being used to encrypt the malicious code was also
meant to be used only for black and white images. The exploit detected by Avast
researchers combined two filters, one for text and one for images, to hide the
"Who would have
thought that a pure image algorithm might be used as a standard filter on any
object stream?" Sejtko said. While the "bad guys" are building a
specially crafted TIFF image file in the PDF files, the trick can be used to
Compared to other attacks, this attack is seen in "only a
very small number" of attacks, Sejtko said, but has also been used in targeted
attacks. While the CVE-2010-0188 flaw has been closed in current versions of
Adobe Reader, users on older and unpatched versions of the software remain
vulnerable to these malicious PDF files.
"I'm not happy to see
another trick based on a glitch in the PDF specification. What should we expect
to happen next?" Sejtko said.
Ever since Sophos and Avast publicized their findings, other
security vendors have stepped up their efforts and updated their malware
definitions. Sophos has added a Mal/PDFJS-RE to generically detect these types
of files, and Avast detects it as JS:Pdfka-gen.