Obfuscation Helping PDF Attacks Beat AV

By Matthew Hines  |  Posted 2009-06-02 Print this article Print

The use of obfuscation to make electronic threats harder to fingerprint is nothing revolutionary in the world of malware, but attackers are increasingly using cutting-edge incarnations of the approach to hide their work and circumvent widely used signature-based AV technologies.

As highlighted in a recent blog post by Lumension security expert Paul Henry, despite the longtime use of obfuscation among black hats, attackers are still finding highly effective methods to bury their malware inside files such as PDFs simply by obscuring their code.

The expert cited a recent example of such a PDF attack that he encountered online that, when tested, was only discovered by 8 of the 40 different AV systems aggregated on the Virustotal.com site.

In the involved PDF, Henry said that even the best systems were clearly challenged to decipher the malicious code with the extent to which it was artfully disguised alongside legitimate content.

The attack serves as yet another example that signature-based AV provides far from sufficient protection when solely depended upon for protection, Henry said. Of course, Henry is currently employed by Lumension, which markets a range of security solutions which promise to fill the gaps in such older technologies via the use of techniques including applications whitelisting and predictive filtering.

"The most effective additional layer of defense is to run an application control/whitelisting solution that will prevent any unwanted application from executing on the user's PC, thus preventing malware infestation," Henry submits.

For more traditional methods of defense, the game of cat-and-mouse with attackers has simply become a losing proposition, according to the expert.

"The PDF file highlights the arms race currently being fought by signature based anti-virus vendors and the bad guys," said Henry. "Simply put, by obfuscating the underlying malware, the bad guys can easily slip malicious PDF files through signature-based AV solutions undetected. When an AV vendor creates a signature to match a given version, the bad guys alter the obfuscation method, thus giving them the upper hand."

In a nod to another of Lumension's areas of expertise, Henry said that organizational patching programs must also be improved to help end users address the obfuscation issue directly, as "the key solution here is patching the underlying vulnerability as the best line of defense."

Applications whitelisting is being forwarded by a wide number of vendors these days as a valuable tool in defending against malware, but one does have to wonder to what extent it will make a significant impact in slowing the cybercrime wave before people start figuring out ways to game it just as they game current AV tools.

Patching is always the most obvious answer to this problem, but as we know, patching is often a laborious, time-consuming process, and based on that reality organizations must often pick and choose which patches they decide to apply first, or at all.

And in the case of zero days, the affected vulnerability obviously hasn't even yet been discovered by the good guys, so no patch is going to be available.

Highly skilled obfuscation has long been a cornerstone of some of the most successful attacks that the Web has ever seen, and likely in those campaigns that have never been discovered because they were hidden so well.

For now, don't trust an attachment unless you're 100 percent sure that it's completely legitimate.

Any other advice is just obscuring the reality of the problem.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel