New PDF exploit hiding technique tricks antivirus engines

Researchers from AVAST warn of a new technique used by PDF exploits to evade antivirus detection. It relies on encoding the malicious code as an image object.

AVAST first encountered this technique in a malicious PDF file a month ago and has seen it used in limited, but also targeted, attacks since then. “This story began when we found a new, previously unseen, PDF file a month ago. It wasn’t detected by us or by any other AV company,” a senior antivirus analyst at AVAST, wrote on the company’s blog. “[…] Its originating URL address was quite suspicious and soon we confirmed the exploitation and system infection caused by just opening this document. But our parser was unable to get any suitable content that we could define as malicious,” he added. It turned out there was no JavaScript stream in this file.
One of the only two objects referenced by an XFA array was decoded, analyzed, and quickly eliminated. Researchers then observed the remaining one required two filters, FlateDecode and JBIG2Decode. FlateDecode is common, but JBIG2Decode is normally used to decode monochrome image data, and this is how attackers chose to store the JavaScript code. As it turns out, JBIG2Decode can be used on any object stream, an unusual behavior the AVAST developers, and probably those from other vendors as well, did not anticipate when coding their PDF parser. This particular file attempted to exploit an older Adobe Reader vulnerability, CVE-2010-0188, discovered in 2010 and patched in current versions of the program. “Based on the information from the avast! Virus Lab logs, this new trick is currently used in only a very small number of attacks […] and that is probably the reason why no one else is able to detect it,” the analyst wrote. Since the PDF parser has been updated to decode JBIG2-encoded objects, the AV vendor spotted the technique being used in other PDF files as well. However, because those also contained regular malicious code, they were already detected.
Source: Antivirus-Engines-196659.shtml