Skip to main content

Posts

Showing posts from September, 2010

Trick for finding the embedded exe's in PDFs

One of the common traits of a lot of PDF malware is that the embedded executable is put it to an object stream and marked with a compression filter such as FlateDecode, but the stream is rarely actually compressed. We now mark objects in the PDF Examiner online tool with a raw stream which doesn't correctly inflate as in brown to denote the potential inclusion of an executable attachment. In most cases the "fake" stream contains an XORed exe file or sometimes additional clean PDFs which are dropped at exploit time.

In the example below, you can see object 64 contains a stream which was marked as FlateDecode, but is listed in brown to denote that it did not contain a valid gzipped stream. In the hexview we can see the pattern of a 256 byte XOR key shown through the executable's whitespace (then you can use the XOR key to statically extract the executable for analysis).

PDF Malware Threat Overview - list of common vulnerabilities

We've created a new comprehensive Malware Tracker chart for the current state of PDF threats from Adobe Reader / Acrobat and embedded Flash exploits. Check out the chart here. We'll be keeping to page up to date with new threats as they develop and are patched. Links to analysis in our PDF Examiner tool are also included on real live malware samples.


PDF Examiner New Features

Added support for multiple objects of the same ID - objects will now be displayed by [object number].[generation number] @ file location bytes. This should enhance the way PDF files with duplicate objects are viewed. PDF Examiner

PDF Examiner New Features

Added a lot of enhancements for dealing with obfuscated JavaScript, including showing objects which may contain JavaScript but have no detected entities as orange. Check out the PDF Examiner.

Visualizing Embedded Executables Teaser and PDF Updates

Since we generally like to tease about what we're working on next as we get too excited to wait for the public release, here's something we think is pretty neat. We decided to play around with visualization for some recent cryptanalysis work on some Microsoft Office .doc, Powerpoint and Excel files.

Take a look at the lines in the below chart - the green horizontal line represents a frequency plot of the top character occurrences over a 256byte spectrum in an office document which contained a one byte XOR'ed embedded executable virus. The red line is even more interesting, it represents the same, but where 256 byte XOR key was used to hide the malware. The blue scatter is the statistical analysis of a clean document with no malware. We thought it was pretty neat that when you visualize your cryptanalysis the documents with malware came up with straight lines in a lot of cases, and clean documents look almost random. More to come in the form of blazing fast cryptanalysis and…

PDF Examiner

Added a few updates to the PDF Examiner - checking object parameters for exploits - such as /Launch etc. Working on more encryption methods - if you have any Revision 1 or 3 samples, send them over to us. Bug fixes - check streams with no encoding methods for known exploits.