Avira warns of polymorphic viruses in PDFs

The virus analysts at Avira are warning of complex exploit kits, which carry polymorphic viruses in PDF files. In this way, cybercriminals try to by-pass simple detection methods, based on checksums or file size.

Tettnang, 5 November 2008 - Avira's security experts have analysed PDF files infected with the recent exploit kit, named El-Fiesta, and they updated the virus signatures file. Avira security solutions detect and block the ever changing PDF malware.

The malware sneaks into user's computers via drive-by downloads, while surfing the Internet. To do this, the criminals hack genuine websites and connect them to their exploit kits, such as El-Fiesta. The exploit kit scans the computer of the potential victim, for software security holes to exploit.

The infected PDF files exploit a well-known security vulnerability in Adobe Reader 8.1.1 and older versions, which has been reported as CVE-2007-5659 in the database of Common Vulnerabilities and Exposures. It is about buffer overflows while processing very long arguments in JavaScript functions. When a JavaScript causes a buffer overflow in a PDF file, external code can be written in memory and then run on the computer, like a Trojan.

To stay protected, users must keep their operating systems, antivirus software and all installed software up to date. Today, Adobe has published an update for Adobe Reader 8.1.3, which fixes the security hole exploited by PDF malware. Adobe Reader 9 is not vulnerable.

Avira's security experts have analysed the polymorphic PDF virus, in order to develop a new detection mechanism.

The infected PDF files created by the exploit kit have a different size and MD5 checksum at every download. The JavaScript is packed and encrypted, and even after unpacking, it is repeatedly spoofed.

Notable at these polymorphic PDFs: all files contain the same xref table, so the time and offset entries are identical. Avira's analysts deduced, that the hackers created a standard PDF file, in which they embed and deliver uniquely spoofed objects.

This is possible because Adobe Reader repairs defective xref tables, by searching for marked objects in the document and using the correct data. Thus, the PDF file is displayed and the malicious JavaScript is run.

This is very easy to implement for the malware craftsmen, and even economically efficient: great outcome at low expense. The effort will be greater, only after many antivirus products would detect the infected documents.