 |
Security News
Avira issues a warning about polymorphous harmful PDFs
Wed, 05 November 2008
The virus analysts at the IT security company Avira warn users against enhanced exploit kits that generate polymorphous harmful PDF files. Cyber criminals are attempting to sidestep simple detection mechanisms based on checksums or file size.
Tettnang, 5 November 2008 –The security experts at Avira have analyzed infectious PDF files in the exploit kits named El-Fiesta. The Avira security solutions can detect and block these continually changing and harmful PDFs.
The harmful programs are foisted on the Internet user through drive-by download. The criminals hack inoffensive websites and embed a connection to their exploit kit such as El-Fiesta. The exploit kit searches for vulnerabilities on the potential victim’s computer in order to take advantage of the vulnerability.
The infectious PDF files take advantage of a known vulnerability in Adobe Reader 8.1.1 or older that are listed in the database of Common Vulnerabilities and Exposures under the name CVE-2007-5659. The malware is using buffer overflows when processing long arguments in JavaScript functions. If a JavaScript produces a buffer overflow in a PDF document, it can write program code to the local storage which is then executed by the system – for instance a Trojan.
Users should always keep their operating system, the anti-virus software and the installed programs up-to-date. Adobe has provided a new update for Adobe Reader version 8.1.3 which fixes this vulnerability; version 9 of Adobe Reader does not contain this vulnerability.
The security experts at Avira have analyzed the polymorphous PDF threats thoroughly in order to provide protection through new detection mechanisms.
The PDF threat and the exploit-kit have created a different download size and a different MD5 checksum. The JavaScript is packed, encrypted and camouflaged several times even after unpacking.
There is something peculiar in the polymorphous PDFs: All files have the same index, the xref table and all time specifications and offset-information is identical. The analysts at Avira assume the cyber-criminals have created a standard PDF document and have embedded the camouflaged objects before sending them. This is possible as Adobe Reader repairs the defective xref table, because the Reader searches the document after the object marks and takes advantage of the correct data –the PDF document is then displayed and the malicious JavaScript is executed.
This is not difficult to implement for cyber criminals: little effort with a huge effect. They will have to work harder on it as several anti-virus products are now able to detect their documents.
About Avira
Avira is a leading worldwide provider of self-developed protection solutions for professional and private use. The company belongs to the pioneers in this sector with over twenty years experience.
The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over.
Well-known listed companies as well as educational organizations and public employers belong to the list of national and international customers. In addition to the protection of the virtual environment, Avira cares for more protection and safety in the real world by promotion of the Auerbach Foundation. The Auerbach Foundation of the founder of the company promotes common and social projects as well as the arts, culture and science.
Company contact:
Avira GmbH
Elisabeth Rothbart Lochhamer Schlag 5a
D-82166 Gräfelfing/München
Telephone: +49 (0) 89 8583 639 17
Telefax: +49 (0) 89 8583 639 20
Email:
 Print this page
|
|
Virus threats 
.gif)
