Malware Code Moving to Rich Content

By Matthew Hines  |  Posted 2008-09-24 Print this article Print

As security pundits have been predicting literally since the dawn of the YouTube era, researchers report that they are now finding rapidly increasing levels of malware hidden in rich content formats, including PDF documents and multimedia files.

In a report that traces the advancement of code obfuscation and encryption techniques employed by malware authors over the last several years, experts working in security-filtering specialist Finjan's Malicious Code Research Center (MCRC) conclude that threats targeting ubiquitous technologies used in many rich content platforms, such as JavaScript, are quickly becoming cybercriminals' handiest "tools of the trade."

Adding the ability to carry out JavaScript-based attacks and the like via PDFs, multimedia players and other user-generated content platforms, including advertisements, will only serve to accelerate attackers' abilities to plant "invisible" malware code onto users' machines via drive-by as soon as they visit a site bearing the content, Finjan contends.

"Since JavaScript is the most-used scripting language for communication with Web browsers, third-party applications such as Flash player, PDF readers and other multimedia applications have added support for JavaScript as part of their application," Yuval Ben-Itzhak, CTO of Finjan, said in a report summary. "This offers crimeware authors the opportunity to inject malicious code into rich-content files used by ads and user-generated content on Web 2.0 Web sites."

By employing cutting-edge obfuscation techniques to hide their attacks in PDF files and Flash content, cybercriminals will further stymie efforts to sniff out their work using traditional signature-based anti-virus systems, the report submits. For its part, Finjan preaches the use of more aggressive content monitoring tools, such as its own, to help address the issue.

While malware code obfuscation and the use of rich content platforms to deliver attacks are nothing new in and of themselves, the two trends are feeding off of each other and leading to the creation of more powerful threats that leverage both techniques, the researchers said.

Finjan highlighted the issue in its Malicious Page of the Month report, showing off an example of such a threat it found in the wild during August through which an attacker used a customized obfuscation method to exploit several already published vulnerabilities on a Web page to deliver up a Trojan via drive-by.

Upon submitting the Trojan for scanning on the clearinghouse site, only several engines identified the file as suspicious, yet, after de-obfuscating the code, a common exploit was exposed, the company reported.

"One of the features of a PDF [Portable Document Format] file is the ability to embed JavaScript code to customize and manipulate PDF files. An unwanted side effect of this capability is that it provides a platform for crimeware authors to embed malicious scripts into PDF documents for malicious purposes," the researchers said.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel