Friday, October 28, 2011

Malware PDF Obfuscation Using PNG Filters and AV #fail

We recently took a look at PDF sample 218a3f6c293d67e5eef2a58742966d56 that our PDFExaminer tool was missing that had a low 4/41 detection rate in Virustotal. Object 20 in this sample had decode parameter with a Predictor 12, BitsPerComponent 8, Colors 1, and Columns 1. Normally this PNG Up filter would only be used on graphics data, however, this particular sample it was used to hide an XFA block with Javascript as well as a CVE-2011-0188 libtiff exploit (vulnerable in Adobe Reader 9.3 and earlier).

Object 20 also didn't code with

The PDF was part of attacks earlier in April, blogged about by Sophos and Symantec

Despite awareness and blogs by a couple of commercial AV providers, this particular obfuscation technique hasn't really got much attention, and continues to get very low detection rates - today it's at 14/ 42 (33.3%)- even missed by Symantec, Trend and McAfee as of publication time.

And the malicious object in PDFExaminer, updated to process the PNG Filters: