Avast Software finds PDF exploit

Criminals have started using an obscure image filter to make malicious PDF files all but invisible to many antivirus programs, Czech security firm AVAST Software said.

The trick involves hiding a common Adobe Reader exploit inside a PDF (Portable Document Format) file by encoding it with the JBIG2Decode filter, normally used to minimize file sizes when embedding monochrome TIFF (Tagged Image File Format) images inside PDFs .

Because the content appears to antivirus software as a harmless two-dimensional TIFF image, the malicious exploit goes unnoticed.

“Who would have thought that a pure image algorithm might be used as a standard filter on any object stream you want?” said AVAST virus analyst, Jiri Sejtko, in a blog. “And that’s the reason why our scanner wasn’t successful in decoding the original content — we hadn’t expected such behavior.”

Part of the problem was the scope offered by the PDF specification to use filters such as JBIG2Decode in unusual ways, and even to use several of them at once in a layered fashion, he said.

The TIFF vulnerability being targeted is CVE-2010-0188 from February 2010, which affects Adobe Reader 9.3 or earlier versions running on Windows, Mac and Unix. Current versions, Reader X 10.x, are not affected although many users will still be using older versions.

In addition, AVAST researchers believe the same JBIG2Decode filter technique is being used to hide other exploits, including , a TrueType font exploit from September 2010 affecting Reader 9.3.4 running on all platforms.

“We have seen this nasty trick being used in a targeted attack and have seen it used so far in a relatively small number of general attacks. That is probably why no one else is able to detect it,” said Sejtko. Avast had now updated its software to detect the JBIG2Decode attack.

Techniques that mask exploits in this way will remain relatively demanding for antivirus scanners to pick up because they require the ruse to be unpicked using a dedicated algorithm rather than a simple signature.

Sejtko said that AVAST researchers would discuss the use of filters to hide exploits at the forthcoming Caro 2011 Workshop held in Prague on May 5-6. http://www.caro2011.org/

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now