I came across yet another copy of a malicious PDF file being hosted on the Internet. The PDF file highlights the arms race currently being fought by signature based anti-virus vendors and the bad guys. Simply put, by obfuscating the underlying malware, the bad guys can easily slip malicious PDF files through signature-based AV solutions undetected. When an AV vendor creates a signature to match a given version, the bad guys alter the obfuscation method, thus giving them the upper hand.
I took the time to submit this PDF file to www.virustotal.com and was not surprised to find that only 8 out of 40 AV products correctly detected the PDF file as malicious.
To get an understanding of what AV vendors are up against, below is a look at the obfuscated code for this particular PDF file – can you detect any malware?
Here is the PDF file malware with the obfuscation removed at wepawet.com.
Test results on the PFD file from www.VirusTotal.com.
|
Antivirus |
Version |
Last Update |
Result |
|
a-squared |
4.0.0.101 |
2009.05.26 |
- |
|
AhnLab-V3 |
5.0.0.2 |
2009.05.26 |
- |
|
AntiVir |
7.9.0.168 |
2009.05.26 |
- |
|
Antiy-AVL |
2.0.3.1 |
2009.05.26 |
- |
|
Authentium |
5.1.2.4 |
2009.05.26 |
PDF/Obfusc.D!Camelot |
|
Avast |
4.8.1335.0 |
2009.05.26 |
JS:Pdfka-HY |
|
AVG |
8.5.0.339 |
2009.05.26 |
- |
|
BitDefender |
7.2 |
2009.05.26 |
- |
|
CAT-QuickHeal |
10 |
2009.05.26 |
- |
|
ClamAV |
0.94.1 |
2009.05.26 |
- |
|
Comodo |
1203 |
2009.05.26 |
- |
|
DrWeb |
5.0.0.12182 |
2009.05.26 |
- |
|
eSafe |
7.0.17.0 |
2009.05.26 |
- |
|
eTrust-Vet |
31.6.6522 |
2009.05.26 |
- |
|
F-Prot |
4.4.4.56 |
2009.05.26 |
- |
|
F-Secure |
8.0.14470.0 |
2009.05.26 |
- |
|
Fortinet |
3.117.0.0 |
2009.05.26 |
- |
|
GData |
19 |
2009.05.26 |
JS:Pdfka-HY |
|
Ikarus |
T3.1.1.57.0 |
2009.05.26 |
- |
|
K7AntiVirus |
7.10.745 |
2009.05.26 |
- |
|
Kaspersky |
7.0.0.125 |
2009.05.26 |
- |
|
McAfee |
5627 |
2009.05.26 |
- |
|
McAfee+Artemis |
5627 |
2009.05.26 |
- |
|
McAfee-GW-Edition |
6.7.6 |
2009.05.26 |
- |
|
Microsoft |
1.4701 |
2009.05.26 |
Exploit:Win32/Pdfjsc |
|
NOD32 |
4106 |
2009.05.26 |
- |
|
Norman |
6.01.05 |
2009.05.26 |
- |
|
nProtect |
2009.1.8.0 |
2009.05.26 |
- |
|
Panda |
10.0.0.14 |
2009.05.26 |
- |
|
PCTools |
4.4.2.0 |
2009.05.21 |
- |
|
Prevx |
3 |
2009.05.26 |
- |
|
Rising |
21.31.14.00 |
2009.05.26 |
- |
|
Sophos |
4.42.0 |
2009.05.26 |
Mal/PdfEx-C |
|
Sunbelt |
3.2.1858.2 |
2009.05.25 |
Exploit.PDF-JS.Gen (v) |
|
Symantec |
1.4.4.12 |
2009.05.26 |
Bloodhound.Exploit.196 |
|
TheHacker |
6.3.4.3.332 |
2009.05.26 |
- |
|
TrendMicro |
8.950.0.1092 |
2009.05.26 |
- |
|
VBA32 |
3.12.10.6 |
2009.05.26 |
- |
|
ViRobot |
2009.5.26.1753 |
2009.05.26 |
- |
|
VirusBuster |
4.6.5.0 |
2009.05.26 |
JS.Crypt.BSP |
The current malicious PDF files being hosted across the Internet are a not-so-subtle reminder that signature-based AV solutions are simply obsolete. The increased use of obfuscation by the bad guys today further drives home the point that we cannot possibly win the obfuscation arms race with the bad guys. The key solution here is patching the underlying vulnerability as the best line of defense. Lastly, the most effective additional layer of defense is to run an application control/whitelisting solution that will prevent any unwanted application from executing on the users PC, thus preventing malware infestation.
