PDF Document Management Software, Services & Support
| Server | Desktop | Services | Support | Why Us? | About Us |
Antivirus Developers Dropped the Ball: PDF is not a Surprise
|
|
|
by Duff Johnson
Friday, May 6, 2011
AV vendors once again claim to be "surprised" by an attack vector they should have expected.
A new complaint is running rife in the antivirus community, this time about PDF and Adobe Reader, the new frontier for viruses, worms and other cyber creepy-crawlies.
Let's unpack a paragraph from the Avast! blog post: Another nasty trick in malicious PDF. Following an innocuous quotation from an out-of-date version of the PDF Reference (more on that below), the author writes:
“That’s another surprise from PDF, another surprise from Adobe, of course. Who would have thought that a pure image algorithm might be used as a standard filter on any object stream you want? And that’s the reason why our scanner wasn’t successful in decoding the original content – we hadn’t expected such behavior. To be fair, any data (text or binary) can be declared as an monochrome two-dimensional image – that’s the reason why JBIG2 algorithm works here.”
I'd like to offer two observations.
One – why is this a surprise? It is common practice to use multiple filters to encode streams in a PDF file. It's been a common practice since PDF was released in 1993. Multiple filters on a stream is part of PDF and always has been. If virus-scanning software claims to scan PDF files, that claim implies the developer has read the PDF Reference and knows how to parse PDF.
After all, it's not as if PDF files are unusual – they're everywhere, and have been for years! Google counts almost 300 million PDF files online, and there are tens of billions more in banks, insurance companies, government agencies, and yes, on your hard-drive too. Given the popularity of PDF for well over a decade, there's nothing in the PDF Reference that should come as a “surprise”.
Two – I would expect antivirus software developers to consider the possibility that an image filter could be used to encode non-image objects for nefarious purposes. The programmers who write virus detection software need to think like virus writers. The fact that they “didn't expect” this behavior does not mean there is anything wrong with the file format, but rather that the programmers writing virus detection software failed to anticipate this exploit, and thus failed in their chosen responsibility of protecting the public.
If they haven't thought of this type of exploit, what else haven't they thought of? The author says as much in the last sentence quoted above.
This is only one recent occurrence of antivirus developers “discovering” something about PDF they should have known all along. The reason is simple: While PDF files are everywhere, meaningful awareness of PDF technology is not common amongst software developers. A PDF file is a free-form database file that can contain any type of data, and there are many perfectly legitimate ways to encode data in PDF.
For a start, it's time the antivirus community bothered to read the most recent version of the PDF Reference. The document quoted in the Avast! blog post is an old Adobe version published in 2006. The current PDF Reference is ISO 32000-1:2008, officially available from the ISO, and also freely from Adobe's website.
When it comes to PDF, we need three things from antivirus people:
-
Get familiar with the technology.
-
Stop identifying PDF with Adobe! Yes, PDF was invented by Adobe, but as of 2008 PDF is an open International Standard. Lots of developers write software for PDF, not just Adobe.
-
Stop referencing older, dated versions of PDF documentation. Read up on ISO 32000.
Antivirus software is a multibillion dollar industry that thrives (in part) on pushing the latest threat. It's true that hackers are increasingly attempting to leverage PDF files with evil intent. I applaud the industry's strenuous efforts to keep us all safe – but that means they need to think a little harder and read a little deeper into PDF.
Comments
Codu:
What version of Adobe Reader are you referencing?
You should report your issue here:
http://www.adobe.com/support/security/alertus.html
Duff.
Just ran into this issue this WE, irony of faith I saw your this article.
Guess who just installed the virus stub process ?
The Adobe PDF Reader ! Applauses ****** !
How ?
Since version 8, Internet Explorer launches its instances in a higly isolated process (without any doubt, imho, the most intelligent thing they ever did). The Adobe ActiveX for IE activates the Acrobat Reader under the logged user account and it tells to: Load this file !
What it is happening is the following :
The Adobe Reader is EXECUTING THE MALICIOUS CODE IN THE PDF DOCUMENT WITH THE CURRENT USER CREDENTIALS ! THE MICROSOFT ISOLATION IS USELESS IN THIS CASE ! THE ANTIVIRUS INDUSTRY CAN NOT PREVENT THIRD PARTY VERY FREQUENT FAILURES IN SOFTWARE ARCHITECTURES, ADOBE INCLUDED.
The first exercise is to mark with white chalk on a blackboard a 1000 times: "Any Antiviral Protection can be broken !"
As a second exercise, type in generic search engine "polymorphic code" and follow the links.
As a third exercise, if the Adobe Security Team whishes to test such an infected PDF document, I have the original that infected my computer this WE: Drop a message with the email of your adobe security support and I'll contact them.
If I open the infected PDF document with Foxit Free PDF Reader it says "This document has problem" and the malicious code is not executed. I expect, at least, the same message from Adobe Reader (as an extension of the ISO 32000-1:2008) !
Jindrich:
I'm not an antivirus developer; it's not my job to find exploits! I simply pointed out that the post on the Avast! blog appeared ill-informed about PDF. You've offered nothing to contradict that view.
Perhaps the reason you haven't seen this exploit before is that virus writers are exploring PDF at about the same speed as antivirus developers. What a shame. My suggestion: read the PDF Reference and get in front of the bad guys instead of following them.
Please, provide us with a link to publically available pdf (with creation date older than our blog), which has
a) script hidden under more than one filter (we don't have any example of this in our cleanset of 60 000)
b) script hidden under image filter, or filter with tiff/png predictor (we don't have this either)
Without this, all you wrote is just pointless rant.