What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  TrustedSource™ Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Perlovga.A.12008-10-01
Trojan.Dldr.Agent.RCE2008-09-30
Virus.002332008-09-26
Worm.Sohanad.S2008-09-23
Trojan.Spy.Goldun.axt2008-09-19
Trojan.Renamer.L2008-09-17
View Malware Library
 

TrustedSource™ Blog

Obfuscated script code in malicious PDF files

June 30th, 2008

One of the features of the Portable Document Format (PDF) is the ability to embed JavaScript code within the document. With this powerful scripting language at hand, the multimedia possibilities of PDF documents can be enhanced by adding some interactive magic to it. Of course, it didn’t take long for malware authors to abuse this interface for their evil deeds and they began to include malicious scripts into PDF documents. In order to avoid detection, they are already using strong obfuscation techniques and it’s getting even harder to manually decode and analyze these scripts if the origin of the document is unknown. The reason for this is the key for the decryption algorithm being outsourced - it’s not included with the script anymore.

That nasty, unreadable script code displayed in the screenshot above is taken from a malicious PDF document. In order to get that, it first needs to be extracted from the compressed stream of the PDF that it is stored in. A subsequent closer look reveals the decoder using the ‘location.href‘ property - which returns the current document’s location (URL). Without having the correct URL, attempts to decode the script will fail and you’ll only get rubbish, as the document’s location is the key used to encrypt the script.

But once the correct URL is provided as the script’s key, it can easily be decoded - to another piece of obfuscated JavaScript code. After having decoded that one as well, the original plain script code becomes visible, unravelling exploit code that attempts to install further malware.

These PDF documents with strongly obfuscated script code are blocked proactively by Secure Computing’s Anti-Malware engine as Exploit.PDF.RecurseDecrypt.gen‘. Any document carrying suspicious-looking code like this is blocked at the gateway regardless of the exploit code it uses. Script code making use of heavy obfuscation methods like this are a typical sign for malware and should never ever be used within legitimate documents.


Author: Anti-Malware Team

Back to TrustedSource™ Blog overview

Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

ANY INFORMATION PROVIDED BY SECURE COMPUTING ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL SECURE COMPUTING BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. SECURE COMPUTING HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.