Criminals have started using an obscure image filter to make malicious PDF files all but invisible to many antivirus programs, Czech security firm AVAST Software said.
The trick involves hiding a common Adobe Reader exploit inside a PDF (Portable Document Format) file by encoding it with the JBIG2Decode filter, normally used to minimize file sizes when embedding monochrome TIFF (Tagged Image File Format) images inside PDFs .
Because the content appears to antivirus software as a harmless two-dimensional TIFF image, the malicious exploit goes unnoticed.
“Who would have thought that a pure image algorithm might be used as a standard filter on any object stream you want?” said AVAST virus analyst, Jiri Sejtko, in a blog. “And that’s the reason why our scanner wasn’t successful in decoding the original content — we hadn’t expected such behavior.”
Part of the problem was the scope offered by the PDF specification to use filters such as JBIG2Decode in unusual ways, and even to use several of them at once in a layered fashion, he said.
The TIFF vulnerability being targeted is CVE-2010-0188 from February 2010, which affects Adobe Reader 9.3 or earlier versions running on Windows, Mac and Unix. Current versions, Reader X 10.x, are not affected although many users will still be using older versions.
In addition, AVAST researchers believe the same JBIG2Decode filter technique is being used to hide other exploits, including , a TrueType font exploit from September 2010 affecting Reader 9.3.4 running on all platforms.
“We have seen this nasty trick being used in a targeted attack and have seen it used so far in a relatively small number of general attacks. That is probably why no one else is able to detect it,” said Sejtko. Avast had now updated its software to detect the JBIG2Decode attack.
Techniques that mask exploits in this way will remain relatively demanding for antivirus scanners to pick up because they require the ruse to be unpicked using a dedicated algorithm rather than a simple signature.
Sejtko said that AVAST researchers would discuss the use of filters to hide exploits at the forthcoming Caro 2011 Workshop held in Prague on May 5-6. http://www.caro2011.org/
