Thursday, December 15, 2011

PDF Malware bypasses AV with 256bit AES encryption CVE-2011-2462

We've been getting a number of 256bit AES encrypted PDFs containing the U3D zero-day CVE-2011-2462 in the past 5 days. The files are getting very low-to-no AV detection:

256 bit AESV3 used by Adobe is proposed as part of ISO 32000-2 standard and is not included in the current standard ISO 32000-1, Adobe has implemented it for developer purposes in Reader 9.4 and 10.x. As such, it's not widely used and apparently not widely checked by AV or until today, our own PDFExaminer product.

Here's a sampling of some documents submitted to PDFExaminer which weren't privately submitted:

And a samping of our PDFExaminer results:

We've added 256bit AES decryption and analysis to both our web based PDFExaminer (free online and commercial lan version) and standalone command line versions (please update now). The zero-day samples are also available to Malware Intelligence Feed customers through our customer portal.

Thanks to those that pointed out that we were missing 256bit AES.

No comments:

Post a Comment