The man with the golden PDF
Par Sylvain SARMEJEANNE, mardi 19 janvier 2010 à 15:20 :: General :: #358 :: rss
Adobe recently released versions 8.2 and 9.3 of Acrobat/Reader, patching several critical vulnerabilities including the recent "newPlayer()" 0-day 
(Réf Lexsi 12676).
As system vulnerabilities will become more and more difficult to find and exploit, vulnerabilities in third-party applications will be more and more exploited in massive or targeted attacks. Among these applications, Adobe Flash Player and Adobe Acrobat/Reader are the most exploited. F-Secure has recently indicated that Adobe Acrobat/Reader has been used in almost 50% of targeted attacks using malicious documents in 2009, which is almost twice as much as in 2008.
In this context, it seems interesting to look at how antivirus compare when handling this kind of malicious documents. Let's take the latest Adobe Acrobat/Reader 0-day we mentioned above, for which an exploitation code has been available in the Metasploit framework since the 15th December. According to our tests, the PDF generated by Metasploit is currently detected by 6 antivirus out of the main 19 AV products:
Now, let's make it a bit more real. Using the Origami framework presented at the SSTIC conference (Rennes, France) in 2009, it is easy to inject the exploitation code and a payload from Metasploit into any legitimate PDF. There are many ways to automate the execution of the JavaScript code; here we have chosen to add an annotation to a page. The user will be reading its (apparently) legitimate document, until he reaches the malicious page which will trigger the execution of the payload (this behaviour should enhance the attack credibility :).
With the same exploitation code, it is however somewhat surprising to see that only 2 out of 19 AV now detect the malicious version of this legitimate PDF:
What should we conclude? First, we could say that it is not AV's role to detect exploitation codes, but malicious malware that will be dropped. Namely, it would not be surprising that an antivirus does not raise an alarm on an exploitation code that executes calc.exe. However, most (if not all) antivirus products include such signatures against PDF exploitation codes; detecting them in the first case but not in the second case can therefore be seen as a weakness in document parsing engines.