PRAGUE, Czech Republic, April 27, 2011 – Cybercriminals are misusing a picture filter to encode malware exploits and payloads into Adobe PDF files, reports the avast! Virus Lab.
The trick uses the JBIG2Decode filter which is designed specifically for encoding monochrome images. Using the JBIG2Decode filter specifications enables the malicious PDF file to slip undetected past most antivirus scanners. The encoded content is the well-known CVE-2010-0188 exploit, a TIFF vulnerability in Adobe Reader.
“The JBIG2 algorithm works here because any data – text or binary – can be declared as a monochrome two-dimensional image,” said Jiri Sejtko, senior virus analyst. “Who would have thought that a pure image algorithm might be used as a standard filter on any object stream? We hadn’t expected such behavior.”
The object stream definition referenced from the XFA array shows that the object is not picture data and is 3125 bytes long. Two filters – FlateDecode and JBIG2Decode – must be used to decode the original data.
“We have seen this nasty trick being used in a targeted attack and have seen it used so far in a relatively small number of general attacks. That is probably why no one else is able to detect it,” he added.
The vulnerability is patched in current versions of Adobe Reader, only older versions of the program are affected. “This is another reason to keep your Adobe updated,” said Mr. Sejtko.
avast! Virus Lab released PDF:ContEx [Susp] detection to the antivirus community immediately after discovering the trick through a posting on VirusTotal. A decoding algorithm was added to the avast! antivirus PDF engine on April 21.
For a more complete description of the JBIG2 trick, read Mr. Sejtko’s post on the avast! blog or come to the CARO 2011 Workshop.
Avast (www.avast.com), the global leader in digital security products, protects over 400 million people online. Avast offers products under the Avast and AVG brands that protect people from threats on the internet and the evolving IoT threat landscape. The company’s threat detection network is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, OPSWAT, ICSA Labs, West Coast Labs and others. Avast is backed by leading global private equity firms CVC Capital Partners and Summit Partners.
1988-2017 Copyright Avast Software s.r.o.