Share

Related Links

  • Avast
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

News

Avast uncovers new encrypted PDF attack vector

28 April 2011

The head virus researcher with Avast claims to have discovered a new Adobe PDF attack vector used by hackers. The attack vector, he reports, centres on the misuse of a filter normally used to encrypt text data for black and white images.

According to Jiri Sejtko, the trick allows the creators of malicious PDF files to slide them past almost all AV scanners.

Anyone, he says, can create valid PDF files where the data uses – for example – five different filters or five layers of the same filter.

"All of these features are based on extremely liberal specifications, a fact which allows bad guys to utilise malicious files in a way that does not allow antivirus scanners access to the real payload", he says in his latest security blog.

"The filter used to encrypt text data is meant to be used only for black and white images. And apart from Avast, probably no other AV scanner is currently able to decode the payload because no other AV can detect those PDF files", he adds.

The esoteric attack vector centres on the misuse of the JBIG2 encoding mechanism, which provides for both lossy and lossless compression, and is, Sejtko notes, useful only for monochrome images.

By manipulating the JBIG2 pixels within an image, which is itself with a PDF file, hackers appear to have discovered a new method of obfuscating (hiding) malware within a PDF file, but without triggering conventional IT security software.

This means, Infosecurity notes, that it is possible for a TTF font data set to be hidden under JBIG2 stream.

The good news, however, is that Sejtko has detailed the attack methodology in his security blog, including the necessary fingerprint code to allow most AV software to look for the relevant digital signatures.

This article is featured in:
Malware and Hardware Security

 

Comments

ShawnaMcAlearney says:

06 May 2011
It's a pity so few AV products can detect such a threat. However, "experts" that claim they are protecting users of their products from attacks should really get with the program and stop blaming a file format for their own inadequacies. AV vendors should have anticipated this attack vector quite a while ago. There's an interesting article (http://www.appligent.com/talkingpdf-antivirus-developers-dropped-the-ball-pdf-is-not-a-surprise) on that perspective by a PDF expert.

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×