Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    In many exploit kits, malicious PDF files are some of the most common threats used to try to infect users with various malicious files. Naturally, security vendors invest in efforts to detect these files properly – and their creators invest in efforts to evade those vendors.

    Using feedback provided by the Smart Protection Network, we examined several commonly used techniques by PDF exploits today. These techniques are described in this blog post. Knowledge about the techniques is used to improve Trend Micro’s ability to detect these exploits.

    Common JavaScript Evasion Techniques

    Most PDF exploits use some form of embedded JavaScript. Because of this, common JavaScript evasion and obfuscation techniques work here as well. For example, string replacements, try-catch exceptions, fromCharCode loops all work in PDF files as well.

    The following code snippet shows some of these techniques in use:


    Figure 1. Common JavaScript evasion/obfuscation techniques in use

    This particular exploit targets CVE-2010-0188.

    Encoded Content And Function Name in INFO Object

    This type of obfuscation saves encrypted code into parts of the INFO object (such as, title, subject, producer, etc.)  JavaScript could be used to extract and decode this encrypted malicious code.

    In this sample, the Title/Creator fields in the INFO object are very strange. The creator field is a very long alphanumeric string broken by numerous exclamation points.


    Figure 2. Encoded code in INFO object

    Like the previous exploit, this also targets CVE-2010-0188.

    Targeting the JavaScript Runtime

    This particular type of evasion is meant to hide from analysis tools. Running JavaScript in PDF files needs a particular runtime library. This library is part of Adobe Reader, but most analysis tools do not contain it. When the malware finds that some functions are not defined or behaves incorrectly, the malicious code is not decrypted.

    Functions that can be used for this include checking the file size of the file and checking the application’s version.

    In the example below, app.endPriv would be checked, and if it’s not defined correctly no malicious code ends up being run.


    Figure 3. Checking for specific function

    Field Attribute and Scope Functions

    Some malware use field attributes in XML Forms Architecture (XFA) to do condition checks. Like the above case, these scope functions are not “implemented” correctly by analysis tools. If certain objects and functions cannot be found (in this case, the ImageFiled1 object and the ZZA function), again, the malicious code will not be run.

    In other cases, attributes such as, width and height may instead be used.


    Figure 4. Field attribute and scope function

    Namespace Control

    This year, we saw a new vulnerability (CVE-2013-2729) which was paired with new evasion techniques.

    We saw JavaScript code that worked in different namespaces (controlled by the name attribute). Analysis tools sometimes have difficulty with this. In this particular snippet, we see that there are two different objects – util and spray, andb how functions and variables are used in these two namespaces.




    Figures 5-7. Namespaces and variables used

    Variables Scope Changed in eval Function

    This type of evasion method is based on certain specifics of the PDF JavaScript engine. Consider the following code snippet:

    (function(){var v=”inner”; e=eval; e(“alert(v)”); })();

    The above code functions correctly in Adobe Reader; the “inner” code is executed. With other JavaScript engines, this may not work and and an error will be returned instead. This could prevent analysis of the malicious code.


    We believe that among these evasion methods, two –  checking the Javascript runtime and changing the scope of variables – will be used more widely in the future.  These represent the latest attempts at evading detections by cybercriminals.

    Trend Micro’s existing web reputation service detects and blocks the websites that use these techniques. The specific samples noted above are also detected as: TROJ_PIDIEF.ERP, TROJ_PIDIEF.ERQ, TROJ_PIDIEF.SMAL, and TROJ_PIDIEF.SMAP.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice