X is not enough! Grab the PDF by the tail! presented at Virus Bulletin 2011

by Jindrich Kubec (Avast software),

URL : http://www.virusbtn.com/conference/vb2011/abstracts/KubecSejtko.xml

Summary : "Everyone in the computer security world knows about the dangers that come with the vulnerabilities discovered in the file format
that is widely used by the masses - PDF. In the last couple of years, we have seen many security holes found in the PDF
format. And if we add an extremely liberal parser, a wealth of allowed encodings, and the power of the scripting engine we
get an ideal channel for malware delivery.
Adobe, as a major provider of PDF viewers (about 83% of all users), has introduced the Reader X in recent months. Also
the vendor's update policies for older versions have been improved significantly. However, this is not enough. We have
found that about 55% of all users still run the vulnerable version which can easily be targeted by the bad guys. We have
to grab the PDF by the tail!
We will not talk about the PDF itself, about its history or about a specific vulnerability - all of which has already been
covered by many others. Instead, we will focus on the ways we deal with the detection of evil PDFs. We will describe our
heuristic detection approach - classifications based on combining format-specific information with the information
gathered from scripts. We will show powerful detections based on script weirdness - where almost everything abnormal might
be penalized.
We will also focus on the QA processes that the bad guys use to defeat our detections. Real-life cases will be discussed. "