Monday, May 5, 2008

New techniques to hide PDF file


A researcher discovered a set of techniques that allows PDF-malware integrated change its appearance in an almost infinite number of .
The coverage of “Race to Zero” has focused, at least for a short time, on the very real problem with the polymorphism for those who are trying to filter all the different types of malicious software that can happen on the system a user.
In terms of information security, polymorphism is used to describe a sample file that may exist in several different forms (usually executable binary different) yet still has the same payload.
Because polymorphism is not a new concept, there were a number of techniques introduced over the years to morph software automatically to enable him to slip past protective software. Fortunately for those who write the detection tools, many of these first attempts left clear signatures that result in the files, making it simple enough to detect the payload, even if it was the first time the file with this byte exact structure has been created.
Over time, the code used to generate alternatives has become better and he started to take more efforts on the antimalware developers to follow, with many indicating that developers of malicious software are winning.
PDF files have been targeted in the past as a way of slipping past malware scanners, an approach facilitated by the fact that a PDF file is a set of instructions that can tell the PDF interpreter execution various autonomous actions through simple scripting commands, and not just the formatting of documents that most people are familiar. The general belief is that PDF files are a “safe” document format, but there are more and more levels of research are invested to discover vulnerabilities with this file format.
From Steven’s work, it seems that PDF interpreters are happier to interpret other channel coding (hexadecimal, octal and ANSI are the examples he used), as if it was good text. This should be fairly simple to check against, but it does force any scanning application to devote more resources to each file it is scanning. Extending the result is the discovery that they are unlimited amounts of space can be placed between each character and PDF interpreters always correctly interpret the content.
Probably the worst combination of the above is that it is then possible to hide the unlimited options encryption by the malware payload encryption using PDF.
The general belief is that PDF files are a “safe” document format, but there are more and more levels of research are invested to discover vulnerabilities with this file format
To counter these problems antimalware a scanner will no longer need to decipher all non-password protected encrypted content, chain reduce all representations in a PDF file type (canonicalisation), then strip all spaces file before scanning for malware payload. This has the opposite effect polymorphism, but it imposes a significant increase in the level of resources necessary to scan each PDF file. Stevens reassured that there is “nothing alarming” about what he found. What he considers important is that “you have to be careful with PDF documents from an unknown source (e) because you can not rely entirely on your AV, or NIDS antispam software to block malicious PDF documents.

0 comments: