The Fight Against Malicious PDFs Using the ASCII85Decode Filter
Because PDF-related threats are on the increase in the wild, my colleagues and I have been focusing on the investigation into new ways to stop these threats. The majority of PDF-related exploits can be categorized into two areas.
The first method involves camouflaging the PDF file structure, and the second involves obfuscating the enclosed JavaScript. With the former type of threat, filters (such as an ASCIIHexDecode filter) are employed to change the file content to confuse antivirus engines and disable the use of signature detections. With the latter, it encrypts or obfuscates the exploit code injected into the PDF file, thereby making the exploit code impossible to differentiate from the clean JavaScript.
Between these two types of exploit, the vast majority of threats that are out in the wild are of the obfuscated JavaScript variety. That’s because it’s difficult to change the PDF file while adhering to the PDF file format, thus limiting the actions that can be taken. Due to the simplicity associated with obfuscating JavaScript encoded in PDFs, there are no limits to the ways that enclosed JavaScript can be encrypted or packed.
One of the recent discoveries in the wild involved the use of an ASCII85Decode filter, which is a relatively new method of encryption. The ASCII85 algorithm displays binary code, similar to BASE64, in ASCII characters and it can display five characters in four bytes. The ASCIIDecode filter is defined in the PDF specifications and it is used in PDFs in the following way:
Of course, the ASCII85Decode filter isn’t a vulnerability itself, but it can be used to avoid detection by antivirus software. This is not the first time that a filter has been used to circumvent detection by antivirus software; in fact, we have seen an example of the ASCIIHexDecode filter being used in the past. In the following example, the ASCII85Decode filter and the FlateDecode filter are both used. We decrypted this filter and found the following JavaScript embedded in it:
If this PDF is opened by Adobe Reader (or inside a Web browser) the above JavaScript executes. However, in this state it’s still obfuscated and the malicious code cannot be read. Following further analysis of the code we can see the following JavaScript:
This JavaScript exploits a combination of the following three vulnerabilities, depending on the version of Adobe Reader:
・util.printf (CVE-2008-2992)
・Collab.collectEmailInfo (CVE-2007-5659)
・Collab.getIcon (CVE-2009-0927)
The result is that Adobe Reader is exploited and the following shell code is executed. This shell code downloads a file from a malicious site and executes it:
Symantec detects this PDF file as Bloodhound.Exploit.196. To avoid attacks such as these, we recommend that you always use the latest versions of software, such as Adobe Reader and Foxit Reader, to open PDF files. As always, be certain to keep your antivirus software and definitions up to date.
About Security Response Blog
Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:
Recently on Twitter
- Revamped Fake #Android Market for SMS Fraud http://t.co/mlrosRUH #malware10 Feb 2012
- Is Waledac spam dirtying the Russian 2012 elections? http://t.co/6gWaIyq610 Feb 2012
- Trojan.Activehijack found in the wild using a known #Office #vulnerability. http://t.co/7L8Xszwr09 Feb 2012
- Infostealer.Offsupload uploads 20000+ archives of stolen data to file sharing site http://t.co/5BBG51Go #Trojan08 Feb 2012
- #Android.Bmaster - Botmaster's profits exposed http://t.co/P8jOQP37 #malware08 Feb 2012