PDF Exploit Makes Malware Detection Harder

A new PDF attack, which utilizes more advanced shellcode, is creating problems for security researchers in analyzing malware as the attack slows down antivirus detection.

The researchers state that some aspects of the exploit (or attack) are conventional. However, there're dual shell codes of different nature in it. The first one is implanted inside an obfuscated script, while the other is placed in the form of a color component inside the PDF. This second shellcode doesn't have a proper format; still Acrobat Reader takes it inside its memory for easy and useful execution.

Bojan Zdrnja, Senior Information Security Consultant at Croatia-based Infigo IS, said that usually malicious PDFs mentioned about executed shellcode after which it downloaded more items from the Web. But the latest PDF exploit had all the items implanted therefore it was stealthy to the maximum possible degree. It didn't have to establish any Web-connection, the consultant explained, as reported by SecuritySearch on January 4, 2010.

Zdrnja further said that the malicious PDF was extremely stealthy as it installed another noble PDF document to make the original one appear less suspicious. According to him, such sophisticated assaults were expected further during 2010.

Commenting on the latest PDF assault, security experts at the Internet Storm Center of the SANS Institute, stated that it demonstrated how far malware attackers were prepared to make it difficult for both victims and AV-vendors to detect their malware.

Since a patch for the new exploit isn't ready as yet, security specialists have suggested all users to deactivate JavaScript in their Adobe Reader software. The SANS Institute states that it is receiving an increasing number of reports of the vulnerability's exploitation by PDF documents. According to the Institute, it seems that the documents are being repeatedly customized to make the maximum number of victims possible to open them.

Moreover, end-users are alerted that these malevolent PDF documents when utilized within targeted attacks can dupe a user so that he might think the fake document was just sent inadvertently.

Finally, Secunia, the Danish vulnerability clearinghouse, has rated the security flaw "extremely critical."

Related article: PDF flaw gets fixed with Adobe patch

» SPAMfighter News - 1/14/2010