Wednesday, November 5, 2008

Avira issues a warning about polymorphous harmful PDFs

The virus analysts at the IT security company Avira warn users against enhanced exploit kits that generate polymorphous harmful PDF files. Cyber criminals are attempting to sidestep simple detection mechanisms based on checksums or file size.

Tettnang, 5 November 2008 –The security experts at Avira have analyzed infectious PDF files in the exploit kits named El-Fiesta. The Avira security solutions can detect and block these continually changing and harmful PDFs.

el fiesta

The harmful programs are foisted on the Internet user through drive-by download. The criminals hack inoffensive websites and embed a connection to their exploit kit such as El-Fiesta. The exploit kit searches for vulnerabilities on the potential victim’s computer in order to take advantage of the vulnerability.

The infectious PDF files take advantage of a known vulnerability in Adobe Reader 8.1.1 or older that are listed in the database of Common Vulnerabilities and Exposures under the name CVE-2007-5659. The malware is using buffer overflows when processing long arguments in JavaScript functions. If a JavaScript produces a buffer overflow in a PDF document, it can write program code to the local storage which is then executed by the system – for instance a Trojan.

Users should always keep their operating system, the anti-virus software and the installed programs up-to-date. Adobe has provided a new update for Adobe Reader version 8.1.3 which fixes this vulnerability; version 9 of Adobe Reader does not contain this vulnerability.

The security experts at Avira have analyzed the polymorphous PDF threats thoroughly in order to provide protection through new detection mechanisms.


The PDF threat and the exploit-kit have created a different download size and a different MD5 checksum. The JavaScript is packed, encrypted and camouflaged several times even after unpacking.

reference table

There is something peculiar in the polymorphous PDFs: All files have the same index, the xref table and all time specifications and offset-information is identical. The analysts at Avira assume the cyber-criminals have created a standard PDF document and have embedded the camouflaged objects before sending them. This is possible as Adobe Reader repairs the defective xref table, because the Reader searches the document after the object marks and takes advantage of the correct data –the PDF document is then displayed and the malicious JavaScript is executed.

This is not difficult to implement for cyber criminals: little effort with a huge effect. They will have to work harder on it as several anti-virus products are now able to detect their documents.

About Avira

Avira protects people in the connected world – enabling everyone to manage, secure, and improve their digital lives. The Avira umbrella covers a portfolio of security and performance applications for Windows, Android, Mac, and iOS. In addition, the reach of our protective technologies extends through OEM partnerships. Our security solutions consistently achieve best-in-class results in independent tests for detection, performance, and usability. Avira is a privately-owned company that employs 500 people. Its headquarters are near Lake Constance, in Tettnang, Germany, and the company has additional offices in Romania, India, Singapore, China, Japan & the United States. A portion of Avira's sales support the Auerbach Foundation, which assists education, children, and families in need. For more information about Avira visit