Security researchers have identified a new trick in PDF files being sent as email attachments that obfuscate attack code by encoding it inside an image file.
When the attachments were opened under Adobe 8.1.1 or Adobe 9.3, the compromised computer would connect to a remote site and download malware, usually SpyEye, ZBot or FakeAV, Paul Baccas, a senior threat researcher at Sophos Labs, wrote on the company’s Naked Security blog on April 15.
“The PDFs did not seem to be using any exploit that I could see and yet they were downloading malware,” wrote Baccas.
It turned out these files were using a new trick to re-exploit the CVE-2010-0188 vulnerability Adobe had patched over a year ago on Feb. 16, 2010, according to Baccas.
The exploit is specific to Reader and would not execute in Google Chrome’s PDF Plugin, Jiri Sejtko, a senior virus analyst and researcher at Avast Software, wrote on the company blog April 22. While that’s a good sign, Chrome generally asks users if it should open the file in Reader if it can’t display the file correctly. In this day and age, many users would likely say yes, making them vulnerable, according to Sejtko.
The PDF specifications allow several filters to be used on raw data, either singly or in conjunction with each other, Sejtko said. Anyone can create valid PDF files where the data uses five different filters, or even multiple layers of the same filter. This allows malware authors to embed malicious code deep inside the filters, out of reach of even the most aggressive scanner.
“Our parser was unable to get any suitable content that we could define as malicious,” Sejtko said.
Files exploiting this vulnerability normally use an XML file that contains the raw data for a TIFF image file containing highly obfuscated code, Baccas said. In this case, the attackers were using parameters to control how the filters operate and crafting the attack code embedded in the raw data to conform to these parameters.
The filter being used to encrypt the malicious code was also meant to be used only for black and white images. The exploit detected by Avast researchers combined two filters, one for text and one for images, to hide the payload.
Compared to other attacks, this attack is seen in “only a very small number” of attacks, Sejtko said, but has also been used in targeted attacks. While the CVE-2010-0188 flaw has been closed in current versions of Adobe Reader, users on older and unpatched versions of the software remain vulnerable to these malicious PDF files.
LINK TO OUR HOME PAGE :