Thursday, September 9, 2010

Visualizing Embedded Executables Teaser and PDF Updates

Since we generally like to tease about what we're working on next as we get too excited to wait for the public release, here's something we think is pretty neat. We decided to play around with visualization for some recent cryptanalysis work on some Microsoft Office .doc, Powerpoint and Excel files.

Take a look at the lines in the below chart - the green horizontal line represents a frequency plot of the top character occurrences over a 256byte spectrum in an office document which contained a one byte XOR'ed embedded executable virus. The red line is even more interesting, it represents the same, but where 256 byte XOR key was used to hide the malware. The blue scatter is the statistical analysis of a clean document with no malware. We thought it was pretty neat that when you visualize your cryptanalysis the documents with malware came up with straight lines in a lot of cases, and clean documents look almost random. More to come in the form of blazing fast cryptanalysis and Office docs :)

In other updates, we updated the Malware Tracker PDF Examiner to detect the new unpatched zeroday embedded font file buffer overflow exploit CVE-2010-2883. PDF Examiner is here. We've already seen a new sample different than the original malware reported (contagiodump blog), and with the creation of the new metasploit module and no patch yet, this exploit is going to be one of the worse. The exploit, while not requiring Javascript to crash acrobat, does still require Javascript to load up the shellcode to do the bad stuff, so disabling Javascript in Acrobat is recommended until a patch is released by Adobe.

No comments:

Post a Comment