Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Malware Exploits Image Encoding in PDF Files

Avast Software : 06 May, 2011  (Technical Article)
Avast has discovered a PDF exploit which encodes malware into document files using monochrome image filters
Malware Exploits Image Encoding in PDF Files

Cybercriminals are misusing a picture filter to encode malware exploits and payloads into Adobe PDF files, reports the avast! Virus Lab.


The trick uses the JBIG2Decode filter which is designed specifically for encoding monochrome images. Using the JBIG2Decode filter specifications enables the malicious PDF file to slip undetected past most antivirus scanners. The encoded content is the well-known CVE-2010-0188 exploit, a TIFF vulnerability in Adobe Reader.


“The JBIG2 algorithm works here because any data – text or binary – can be declared as a monochrome two-dimensional image,” said Jiri Sejtko, senior virus analyst. “Who would have thought that a pure image algorithm might be used as a standard filter on any object stream? We hadn’t expected such behavior.”


The object stream definition referenced from the XFA array shows that the object is not picture data and is 3125 bytes long. Two filters – FlateDecode and JBIG2Decode – must be used to decode the original data.


“We have seen this nasty trick being used in a targeted attack and have seen it used so far in a relatively small number of general attacks. That is probably why no one else is able to detect it,” he added.


The vulnerability is patched in current versions of Adobe Reader, only older versions of the program are affected. “This is another reason to keep your Adobe updated,” said Mr. Sejtko.


avast! Virus Lab released PDF:ContEx [Susp] detection to the antivirus community immediately after discovering the trick through a posting on VirusTotal. A decoding algorithm was added to the avast! antivirus PDF engine on April 21.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo