Jindrich Kubec AVAST Software
Jiri Sejtko AVAST Software
download slides (PDF)
Everyone in the computer security world knows about the dangers that come with the vulnerabilities discovered in the file format that is widely used by the masses - PDF. In the last couple of years, we have seen many security holes found in the PDF format. And if we add an extremely liberal parser, a wealth of allowed encodings, and the power of the scripting engine we get an ideal channel for malware delivery.
Adobe, as a major provider of PDF viewers (about 83% of all users), has introduced the Reader X in recent months. Also the vendor's update policies for older versions have been improved significantly. However, this is not enough. We have found that about 55% of all users still run the vulnerable version which can easily be targeted by the bad guys. We have to grab the PDF by the tail!
We will not talk about the PDF itself, about its history or about a specific vulnerability - all of which has already been covered by many others. Instead, we will focus on the ways we deal with the detection of evil PDFs. We will describe our heuristic detection approach - classifications based on combining format-specific information with the information gathered from scripts. We will show powerful detections based on script weirdness - where almost everything abnormal might be penalized.
We will also focus on the QA processes that the bad guys use to defeat our detections. Real-life cases will be discussed.