Apr 22, 2011 16:55 GMT  ·  By

Researchers from Czech security vendor AVAST warn of a new technique used by PDF exploits to evade antivirus detection. It relies on encoding the malicious code as an image object.

AVAST first encountered this technique in a malicious PDF file a month ago and has seen it used in limited, but also targeted, attacks since then.

"This story began when we found a new, previously unseen, PDF file a month ago. It wasn’t detected by us or by any other AV company," Jiri Sejtko, a senior antivirus analyst at Avast, writes on the company's blog.

"[...] Its originating URL address was quite suspicious and soon we confirmed the exploitation and system infection caused by just opening this document. But our parser was unable to get any suitable content that we could define as malicious," he adds.

It turns out that there was no JavaScript stream in this file and PDF exploits normally rely on JavaScript heap-spraying.

One of the only two objects referenced by an XFA array was decoded, analyzed and quickly eliminated. Researchers then observed that the remaining one required two filters, FlateDecode and JBIG2Decode.

FlateDecode is common, but JBIG2Decode is normally used to decode monochrome image data, and this how attackers chose to store the JavaScript code.

As it turns out, JBIG2Decode can be used on any object stream, an unusual behavior the AVAST developers, and probably those from other vendors as well, didn't anticipate when coding their PDF parser.

This particular file attempted to exploit an older Adobe Reader vulnerability, CVE-2010-0188, discovered in 2010 and patched in current versions of the program.

"Based on the information from the avast! Virus Lab logs, this new trick is currently used in only a very small number of attacks [...] and that is probably the reason why no one else is able to detect it," Mr. Sejtko writes.

Since the PDF parser has been updated to decode JBIG2-encoded objects, the AV vendor spotted the technique being used in other PDF files as well. However, because those also contained regular malicious code, they had already been detected.