Sophisticated techniques used to thwart AV detection

Jan 5, 2010 16:02 GMT  ·  By

Security researchers have encountered a malicious PDF exploiting an unfixed vulnerability in Adobe Reader and Acrobat, which makes use of complex techniques in order to avoid detection. The document is believed to be part of a highly targeted attack.

The malicious file has been analyzed by Bojan Zdrnja, a security researcher with the Internet Storm Center, who notes that "Initially I even thought that it does not work, but after studying it a little bit, I found that this particular PDF document has some very interesting, sophisticated characteristics."

In particular, the JavaScript code used to exploit the Doc.media.newPlayer() vulnerability disclosed last month is only 38 bytes long, an unusually small size for such code. Mr. Zdrnja calls it "an egg-hunting shellcode," which has the purpose of evading antivirus detection.

At the time the researcher looked at the file, only six of the 41 antivirus engines on VirusTotal detected it, even if the regular exploit code for this vulnerability had been known for several weeks. Adobe plans to patch this hole next Tuesday during its scheduled security update cycle, but until then users, have to rely on temporary mitigation solutions such as disabling JavaScript entirely and the reliability of their antivirus product.

The purpose of this attack is to drop and execute two binary files on the system. The first, called SUCHOST.EXE, is a backdoor client, which can be used to control the infected computer. The second, temp.exe, does nothing more than to drop an open additional and benign PDF file called baby.pdf. This is to distract the user from the Adobe Reader crash caused by the exploit in the original PDF document.

This was most likely devised to attack a single individual or company and the fact that it was sent around the holidays when many files make their way into people's email inboxes made it even less suspicious. "If we are to judge the new year by sophistication the attackers started using, it does not look too good," the SANS researcher concludes.