New Malware Tricks Exploit PDF Vulnerability

Malicious PDF files are using a new trick to avoid detection by almost all major antivirus scanners on the market, according to security researchers.

In March, researchers from Avast and Sophos independently noticed PDF files making the rounds that were not being flagged as malicious but had the ability to compromise a machine just by being opened. The originating address was often suspicious and the attachments accompanied emails purporting to be an order receipt. The attachments themselves often had names containing the supposed order number.

Email Attachments Linked To Malware

When the attachments were opened under Adobe 8.1.1 or Adobe 9.3, the compromised computer would connect to a remote site and download malware, usually SpyEye, ZBot  or FakeAV, Paul Baccas, a senior threat researcher at Sophos Labs, wrote on the company’s Naked Security blog on April 15.

“The PDFs did not seem to be using any exploit that I could see and yet they were downloading malware,” wrote Baccas.

It turned out these files were using a new trick to re-exploit the CVE-2010-0188 vulnerability Adobe had patched over a year ago on Feb. 16, 2010, according to Baccas.

The exploit is specific to Reader and would not execute in Google Chrome’s PDF Plugin, Jiri Sejtko, a senior virus analyst and researcher at Avast Software, wrote on the company blog April 22. While that’s a good sign, Chrome generally asks users if it should open the file in Reader if it cannot display the file correctly. In this day and age, many users would likely say yes, making them vulnerable, according to Sejtko.

The PDF specifications allow several filters to be used on raw data, either singly or in conjunction with each other, Sejtko said. Anyone can create valid PDF files where the data uses five different filters, or even multiple layers of the same filter. This allows malware authors to embed malicious code deep inside the filters, out of reach of even the most aggressive scanner.

“Our parser was unable to get any suitable content that we could define as malicious,” Sejtko said.

Files exploiting this vulnerability normally use an XML file that contains the raw data for a TIFF image file containing highly obfuscated code, Baccas said. In this case, the attackers were using parameters to control how the filters operate and crafting the attack code embedded in the raw data to conform to these parameters.

The filter being used to encrypt the malicious code was also meant to be used only for black and white images. The exploit detected by Avast researchers combined two filters, one for text and one for images, to hide the payload.

“Who would have thought that a pure image algorithm might be used as a standard filter on any object stream?” Sejtko said. While the “bad guys” are building a specially crafted TIFF image file in the PDF files, the trick can be used to hide special JavaScript and font files, as well.

Compared to other attacks, this attack is seen in “only a very small number” of attacks, Sejtko said, but has also been used in targeted attacks. While the CVE-2010-0188 flaw has been closed in current versions of Adobe Reader, users on older and unpatched versions of the software remain vulnerable to these malicious PDF files.

“I’m not happy to see another trick based on a glitch in the PDF specification. What should we expect to happen next?” Sejtko said.

Ever since Sophos and Avast publicised their findings, other security vendors have stepped up their efforts and updated their malware definitions. Sophos has added a Mal/PDFJS-RE to generically detect these types of files, and Avast detects it as JS:Pdfka-gen.