Many of you are all too aware of the number of patches repairing flaws in Adobe's Reader and Acrobat software in the last couple of years. Their PDF reader is deployed on nearly all computers, which is too juicy of a target to ignore by criminals wanting new methods of infecting businesses and consumers alike.
As the quantity of malicious samples increase, it is clear that heuristic detection techniques need to be researched in order to provide better protection against this popular attack vector.
Paul Baccas from SophosLabs UK presented his paper "Finding Rules for Heuristic Detection of Malicious PDFs: With Analysis of Embedded Exploit Code" Wednesday at the 2010 Virus Bulletin conference in Vancouver, Canada.
Paul shared his analysis of clean and malicious PDF samples and showed the characteristics of PDFs that indicate how dangerous a given sample may be.
PDF is an open standard, and as a result many applications can create and render them. One disadvantage this presents is that readers must be far more forgiving then they really ought to be. They ignore syntax errors, correct broken tags and many other issues which can be used to the advantage of the people exploiting the format.
The PDF format is badly in need of an overhaul. Adobe has announced they will be adding a sandbox capability to Adobe Reader to help address the security concerns administrators have with their application. Based upon Paul's research sandboxing will not go far enough to secure Reader.