Malicious PDF FilesPresenter: Ahmed Hesham Abd El-Hameed KamalStudent Code: 1083128Course: [CMP N426] Computer Systems SecuritySemester: Spring 2013

Cairo UniversityFaculty of EngineeringCredit Hours System

05/02/2023 [CMP N426] Computer Systems Security

AgendaIntroductionClient-Side AttacksMalicious Content FilesDetection, Analysis and CleanupRecorded Incidents

2 of 18

05/02/2023 [CMP N426] Computer Systems Security

IntroductionWho has access to the network?Who has access to the systems?Who has access to the data?Who has access to the Internet from inside

the network?Who has access to the assets?Who has access anytime to all above?

3 of 18

05/02/2023 [CMP N426] Computer Systems Security

Introduction (Cont.)

The User

4 of 18

05/02/2023 [CMP N426] Computer Systems Security

Client-Side Attacks“An attack that targets the user’s computer

environment.” – Jamie Riden, Honeynet Project.

Very dangerous

High success ratio

Hard to detect

Most common type of attacks found today5 of 18

05/02/2023 [CMP N426] Computer Systems Security

Client-Side Attacks (Cont.)

Adobe Acrobat Reader

49%Microsoft Word39%

Microsoft Excel7%

Microsoft PowerPoint5%

Targeted Attacks

6 of 18

Most common file types in a targeted attack (F-secure, 2009)

05/02/2023 [CMP N426] Computer Systems Security

Client-Side Attacks (Cont.)

Attacker poses to the user as a service provider (email, website, files, etc)

Client is tricked/forced to communicate with the malicious service provided

Service provider then exploits a vulnerability in the client’s environment

Social engineering is often used as a part of this attack

7 of 18

05/02/2023 [CMP N426] Computer Systems Security

Malicious Content FilesA piece of malicious code is embedded into

the contents of the file

Example: PDF files

8 of 18

05/02/2023 [CMP N426] Computer Systems Security

Malicious Content Files (Cont.)

PDF file is based on PostScript programming language

Industry standard for communicating documents

A typical PDF consists of:HeaderList of objectsCross reference tableTrailer

9 of 18

05/02/2023 [CMP N426] Computer Systems Security

Malicious Content Files (Cont.)

PDF files use a hierarchical structure

Objects in the document are arranged in the form of a tree

Rendering engine traverses the tree of objects

10 of 18

05/02/2023 [CMP N426] Computer Systems Security

Detection, Analysis and CleanupA great set of tools for detection and analysis

of PDF files was created by a security researcher called Dider Stevens

Includes:pdf-parser.pymake-pdf tools:

make-pdf-javascript.py make-pdf-embedded.py

pdfid.pyPDFtemplate.bt

11 of 18

05/02/2023 [CMP N426] Computer Systems Security

Detection, Analysis and Cleanup (Cont.)

pdfid.pySearches for certain PDF keywordsIdentifies PDF documents that contains JS or

executable actions upon openCan handle name obfuscationFirst tool to be used in the analysis of a

suspected file

12 of 18

05/02/2023 [CMP N426] Computer Systems Security

Detection, Analysis and Cleanup (Cont.)

13 of 18

05/02/2023 [CMP N426] Computer Systems Security

Detection, Analysis and Cleanup (Cont.)

pdf-parser.pystats: display statistics of the objects found in

the PDF documentsearch: not case-sensitive, and is susceptible

to the obfuscation techniquesfilter: applies the filter(s) to the streamraw: makes pdf-parser output raw dataobjects: outputs the data of the indirect object

which ID was specifiedreference: allows selection of all objects

referencing the specified indirect object

14 of 18

05/02/2023 [CMP N426] Computer Systems Security

Detection, Analysis and Cleanup (Cont.)

15 of 18

05/02/2023 [CMP N426] Computer Systems Security

Detection, Analysis and Cleanup (Cont.)

Attackers are not stupid (most of them are, but you get the point)

ObfuscationHexadecimalOctalString SplittingWhite SpacesString Randomization

EncodingBase64, FlateDecode, ASCIIHexDecode, Unescape, etc

Encryption16 of 18

05/02/2023 [CMP N426] Computer Systems Security

Detection, Analysis and Cleanup (Cont.)

Remove the file extension of the malicious file. Prevent the code from being executed let’s say by a thumbnail viewer, etc.

Disable Adobe iFilter, which is used for meta-data indexing (search):Regsvr32 /v AcroRdIf.dll

OR have a nice day using:

A Linux system to analyze Windows infected content…

17 of 18

05/02/2023 [CMP N426] Computer Systems Security

Recorded Incidents 2012: United States Department of Defense

A PDF named "Agenda_Web_(8-24-12).pdf" was found to contain an embedded malicious executable with encrypted reverse shell functionality. When executed, a connection on port 443 is attempted to an external location. If the connection is successfully established, the malware negotiates an SSL session with the remote host and a reverse shell is established. The latest virus definition update from various Anti-Virus vendors detects the malicious executable as a generic Trojan horse program.

2010: SpiderLab's Incident Readiness Service - Incident Response The PDF file analyzed was found to contain an embedded packed (NsPack)

malicious executable. In order to thwart analysis upon execution, the malicious executable runs a series of checks to ensure it is not running within a typical malware analysis environment. Once these checks are completed, an instance of Internet Explorer is launched. Internet Explorer is then utilized to establish a connection via HTTP to two distinct external locations. If a connection is established to either location, information regarding the local system is sent. The malware contains functionality for downloading and executing additional malicious programs chosen by the attacker.

18 of 18