Winter 2011: Password security standards and trendsOne of the latest PDF attacks is using more sophisticated shellcode, making analysis of malware more difficult for security researchers while slowing antivirus detection.
The attack, detected over the last few days, looks like a run-of-the-mill malicious PDF file, but its coding contains a second layer that doesn't use the Web to download code, making antivirus detection more difficult.
In an interview with SearchSecurity.com, Bojan Zdrnja, senior information security consultant at Croatia-based security firm Infigo IS, said the malicious code was not working because it was only 38-bytes, but a closer look revealed a second layer written by a savvy malware writer.
"Normally, malicious PDFs like this execute shellcode and then download further things off the Web," Zdrnja said. "This one had everything embedded so it was as stealthy as possible; no connections are made to the Web at all."
Zdrnja said the sophisticated coding is alarming and something that researchers will be tracking in 2010.
"I'm also worried with the fact that the attacker tried to make this as stealthy as possible since the malicious PDF document drops another, benign PDF document so the victim does not become suspicious," he said. "I think that we will almost certainly see more of such sophisticated attacks in 2010."
The malware author used an egg-hunting shellcode, which hunts for a block of code in the file to execute, rather than downloading malicious data at the time of a successful
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
attack. The hidden code it uses is contained in a color object within the PDF document. Egg-hunting shellcode is normally used in exploits when there is limited buffer space, Zdrnja said. PDF documents typically give as much space as a malware coder needs. Zdrnja said the use of the technique shows that the author is working harder to avoid detection and stifle malware analysis.
Zdrnja wrote extensively about his malicious PDF analysis in a SANS Internet Storm Center diary entry. The specific malicious PDF file attempts to target a JavaScript zero-day vulnerability in Adobe Acrobat and Reader. Zdrnja said it drops two binaries - a harmless PDF file, designed to open Adobe Reader and make the user believe the file attachment is harmless and a second file, designed to enable the malware.
In an advisory, Adobe Systems Inc. said it would issue a patch for the vulnerability during its regular updates scheduled for Jan. 12. The vulnerability being targeted is contained in Acrobat Reader and Acrobat 9.2. In an advisory issued Dec. 15, Adobe said the remote code execution vulnerability is being actively targeted by attackers in the wild via malicious email PDF attachments.
To mitigate the threat, Adobe users can disable JavaScript until a patch is released and avoid opening PDFs from untrusted sources. Danish vulnerability clearinghouse Secunia has given the vulnerability an extremely critical rating.