14 DAY TRIAL // One of the primary attractions at the Hack in the Box 2011 Amsterdam security conference last week was Didier Stevens' two-hour lab session on malicious PDF analysis.
The Belgian IT security consultant is seen as one of the industry's top PDF exploit experts and his analysis tools are used by researchers and companies world-wide. We considered that it's important to hear an informed opinion about the current state of PDF malware and fortunately Mr. Stevens agreed to an interview. We hope you'll enjoy reading it.
Softpedia: The number of PDF exploits seen in the wild during the past year seems to have decreased in favor of Java-based ones. Do you think cyber criminals are losing interest in PDF exploits?
Didier Stevens: I believe they do. The new Adobe Reader X makes it much harder to exploit, because when you use it on Windows Vista or Windows 7 it has a sandbox. If the attackers manage to get the exploit running inside the sandbox, they still have to find a way to escape from it before they can infect the machine.
Softpedia: Yes, but not a lot of people have upgraded to Adobe Reader X (10.0) yet.
Didier Stevens: That's true. But it's not only that. For example, Adobe Reader 9 now also supports DEP and ASLR so they also have to bypass those protection mechanisms. Only Adobe Reader 8 remains easy to exploit, and it's disappearing from the market.
Softpedia: As you mentioned, Adobe introduced sandboxing technology in Adobe Reader X and they already claim pretty good adoption numbers. Do you think this will put a definitive dent in the levels of PDF malware?
Didier Stevens: Yes, it will make a difference, because attackers will have to work harder to exploit those machines. Not only will they need an exploit that works inside the sandbox, but they will also need to find a way to escape the sandbox and it costs a lot more to do that.
Malware authors are not really interested in exploiting Adobe Reader itself. They use it to infect your machine. That's their target. Adobe Reader is a vector that used to be easy to exploit, but now that it requires more work and time, attackers will move on to other vulnerable applications.
Softpedia: Since implementing the sandbox, Adobe has begun delaying patches for vulnerabilities in Adobe Reader X on the basis that users are protected from exploits due to the new technology. Some security experts don't agree with this approach because it encourages people, especially system administrators, to delay deploying patches.
What is your opinion about this? Should Adobe release out-of-bands patches for Adobe Reader X when there are zero-day attacks, or delay them until the next scheduled update cycle?
Didier Stevens: That is something that I expected from Adobe. I expected they would delay patches on new versions of Adobe Reader 10 for exploits they can mitigate with the sandbox. But, I don't think it's a good idea. I think they should be as diligent in releasing new patches as they are for the other versions.
But, I knew they were going to do that because for them there is a cost involved. The more patches you need to deploy, the more testing you have to do, and tests cost money. So, delaying patches for Adobe Reader X is a cost saving decision.
Softpedia: Don't you think it might be more about pressure from their customers, especially corporate clients that don't want to patch so often, than their own costs?
Didier Stevens: No, I don't think so, because they do not patch as often as Microsoft. Adobe releases patches every four months or when there is a need for out-of-band ones, while Microsoft does every month.
Softpedia: Yes, but out-of-band patches have become the norm at Adobe during the last couple of years and this affects the patch management process of its customers. Meanwhile, Microsoft's patching is uniform and predictable.
Didier Stevens: Yes, but someone from Adobe told me that they need to do more testing for their products than Microsoft, because they support more platforms. For example, I have an Adobe PDF Reader on my cellphone. You could also have it on a tablet PC or iPad; much more platforms than Windows.
Softpedia: At this time, PDF exploits are most commonly used in targeted attacks distributing advanced persistent threats (APTs), malware primarily designed to steal information. This is because attackers know that companies are slow to update.
What do you recommend to people who, for whatever reasons, can't upgrade to a new version? Is disabling JavaScript support in the program enough?
Didier Stevens: If you are talking about targeted attacks against companies, they are very difficult to prevent, because the attackers know the company and know which software and what version it runs.
For example, they could build a workaround if JavaScript is disabled, because it's a targeted attack and they have info about the target. In those cases disabling JavaScript will not help as the attacker will work with exploits that don't require it. However, these are harder and costly to make.
Softpedia: Have you seen many such exploits, that don't rely on JavaScript?
Didier Stevens: No, because they are only used in targeted attacks. But, I know for example that Immunity [a company developing a commercial penetration testing framework] has a JBIG2Decode exploit that doesn't use JavaScript. In companies like these the coders are much more skilled and they are able to pull it off.
Softpedia: Malware researchers from Avast Software have recently stumbled over a quirk in Adobe's PDF implementation which allows exploit writers to hide the malicious JavaScript code with JBIG2Decode, a filter normally used for monochrome image data.
Their PDF parser did not analyze the JBIG2Decode content because they were not aware that this filter can be used on any object stream. Do you think there are other issues like this hidden in the PDF implementation?
Didier Stevens: Yes. I've written about this method around two years ago in a blog post where I've explained all the compression techniques that can be used. There are several compression algorithms for text and images and using parameters you can define if that compression is lossless or lossy.
For images you usually have lossy compression, but you can force it to be lossless. And this is not only possible with JBIG2Decode. There are also other algorithms that support lossless compression and those can be used in exactly the same way.
Softpedia: Do you think that malware writers might have read your research about these obfuscation methods and used them?
Didier Stevens: It is possible, yes. But, when I published it I've also informed several antivirus vendors. However, at the time, only a few of them had the ability to scan the contents of PDF files.
Softpedia: Obviously there are also other implementations of the PDF specification aside from Adobe's. Do you think that attackers might begin targeting other PDF readers now that Adobe Reader is too difficult to exploit?
Didier Stevens: They already do that. There is also malware for Foxit Reader [the second most popular PDF reader].
Softpedia: Is this malware in the wild or just a proof-of-concept?
Didier Stevens: Yes. It's in the wild.
(interview transcribed from audio)
Softpedia.com was an official media partner at HITBSecConf 2011 Amsterdam.