avast! Virus Lab discovers new PDF trick - malware in black and white

PRAGUE, Czech Republic, April 27, 2011 – Cybercriminals are misusing a picture filter to encode malware exploits and payloads into Adobe PDF files, reports the avast! Virus Lab.

The trick uses the JBIG2Decode filter which is designed specifically for encoding monochrome images. Using the JBIG2Decode filter specifications enables the malicious PDF file to slip undetected past most antivirus scanners. The encoded content is the well-known CVE-2010-0188 exploit, a TIFF vulnerability in Adobe Reader.

“The JBIG2 algorithm works here because any data – text or binary – can be declared as a monochrome two-dimensional image,” said Jiri Sejtko, senior virus analyst. “Who would have thought that a pure image algorithm might be used as a standard filter on any object stream? We hadn’t expected such behavior.”

template object definition

The object stream definition referenced from the XFA array shows that the object is not picture data and is 3125 bytes long. Two filters – FlateDecode and JBIG2Decode – must be used to decode the original data.

“We have seen this nasty trick being used in a targeted attack and have seen it used so far in a relatively small number of general attacks. That is probably why no one else is able to detect it,” he added.

The vulnerability is patched in current versions of Adobe Reader, only older versions of the program are affected. “This is another reason to keep your Adobe updated,” said Mr. Sejtko.

avast! Virus Lab released PDF:ContEx [Susp] detection to the antivirus community immediately after discovering the trick through a posting on VirusTotal. A decoding algorithm was added to the avast! antivirus PDF engine on April 21.

For a more complete description of the JBIG2 trick, read Mr. Sejtko’s post on the avast! blog or come to the CARO 2011 Workshop.