Wednesday, September 29, 2010

Trick for finding the embedded exe's in PDFs

One of the common traits of a lot of PDF malware is that the embedded executable is put it to an object stream and marked with a compression filter such as FlateDecode, but the stream is rarely actually compressed. We now mark objects in the PDF Examiner online tool with a raw stream which doesn't correctly inflate as in brown to denote the potential inclusion of an executable attachment. In most cases the "fake" stream contains an XORed exe file or sometimes additional clean PDFs which are dropped at exploit time.

In the example below, you can see object 64 contains a stream which was marked as FlateDecode, but is listed in brown to denote that it did not contain a valid gzipped stream. In the hexview we can see the pattern of a 256 byte XOR key shown through the executable's whitespace (then you can use the XOR key to statically extract the executable for analysis).

Monday, September 27, 2010

JS Stream Decryption Fix

Fixed a bug in the PDF Examiner with escaped characters in literal streams for Encrypted documents. Encrypted PDFs with JS(...) blocks not in a compressed stream were affected.

Friday, September 24, 2010

PDF Malware Threat Overview - list of common vulnerabilities

We've created a new comprehensive Malware Tracker chart for the current state of PDF threats from Adobe Reader / Acrobat and embedded Flash exploits. Check out the chart here. We'll be keeping to page up to date with new threats as they develop and are patched. Links to analysis in our PDF Examiner tool are also included on real live malware samples.

Sunday, September 19, 2010

New shortcut to the PDF Examiner tool

Now you can submit a PDF for free online analysis and view all the objects at A new domain to use as a shortcut to our very popular online pdf dissector tool.

Sunday, September 12, 2010

PDF Examiner New Features

Added support for multiple objects of the same ID - objects will now be displayed by [object number].[generation number] @ file location bytes. This should enhance the way PDF files with duplicate objects are viewed. PDF Examiner

Saturday, September 11, 2010

PDF Examiner New Features

Added a lot of enhancements for dealing with obfuscated JavaScript, including showing objects which may contain JavaScript but have no detected entities as orange. Check out the PDF Examiner.

Thursday, September 9, 2010

Visualizing Embedded Executables Teaser and PDF Updates

Since we generally like to tease about what we're working on next as we get too excited to wait for the public release, here's something we think is pretty neat. We decided to play around with visualization for some recent cryptanalysis work on some Microsoft Office .doc, Powerpoint and Excel files.

Take a look at the lines in the below chart - the green horizontal line represents a frequency plot of the top character occurrences over a 256byte spectrum in an office document which contained a one byte XOR'ed embedded executable virus. The red line is even more interesting, it represents the same, but where 256 byte XOR key was used to hide the malware. The blue scatter is the statistical analysis of a clean document with no malware. We thought it was pretty neat that when you visualize your cryptanalysis the documents with malware came up with straight lines in a lot of cases, and clean documents look almost random. More to come in the form of blazing fast cryptanalysis and Office docs :)

In other updates, we updated the Malware Tracker PDF Examiner to detect the new unpatched zeroday embedded font file buffer overflow exploit CVE-2010-2883. PDF Examiner is here. We've already seen a new sample different than the original malware reported (contagiodump blog), and with the creation of the new metasploit module and no patch yet, this exploit is going to be one of the worse. The exploit, while not requiring Javascript to crash acrobat, does still require Javascript to load up the shellcode to do the bad stuff, so disabling Javascript in Acrobat is recommended until a patch is released by Adobe.

Wednesday, September 1, 2010

PDF Examiner

Added a few updates to the PDF Examiner - checking object parameters for exploits - such as /Launch etc. Working on more encryption methods - if you have any Revision 1 or 3 samples, send them over to us. Bug fixes - check streams with no encoding methods for known exploits.