PDF Exploit Makes Malware Detection Harder
The researchers state that some aspects of the exploit (or attack) are conventional. However, there're dual shell codes of different nature in it. The first one is implanted inside an obfuscated script, while the other is placed in the form of a color component inside the PDF. This second shellcode doesn't have a proper format; still Acrobat Reader takes it inside its memory for easy and useful execution.
Bojan Zdrnja, Senior Information Security Consultant at Croatia-based Infigo IS, said that usually malicious PDFs mentioned about executed shellcode after which it downloaded more items from the Web. But the latest PDF exploit had all the items implanted therefore it was stealthy to the maximum possible degree. It didn't have to establish any Web-connection, the consultant explained, as reported by SecuritySearch on January 4, 2010.
Zdrnja further said that the malicious PDF was extremely stealthy as it installed another noble PDF document to make the original one appear less suspicious. According to him, such sophisticated assaults were expected further during 2010.
Commenting on the latest PDF assault, security experts at the Internet Storm Center of the SANS Institute, stated that it demonstrated how far malware attackers were prepared to make it difficult for both victims and AV-vendors to detect their malware.
Moreover, end-users are alerted that these malevolent PDF documents when utilized within targeted attacks can dupe a user so that he might think the fake document was just sent inadvertently.
Finally, Secunia, the Danish vulnerability clearinghouse, has rated the security flaw "extremely critical."
Related article: PDF flaw gets fixed with Adobe patch
» SPAMfighter News - 14-01-2010