A lesson in heuristic PDF detection

Many of you are all too aware of the number of patches repairing flaws in Adobe’s Reader and Acrobat software in the last couple of years. Their PDF reader is deployed on nearly all computers, which is too juicy of a target to ignore by criminals wanting new methods of infecting businesses and consumers alike.

As the quantity of malicious samples increase, it is clear that heuristic detection techniques need to be researched in order to provide better protection against this popular attack vector.

Paul Baccas from SophosLabs UK presented his paper “Finding Rules for Heuristic Detection of Malicious PDFs: With Analysis of Embedded Exploit Code” Wednesday at the 2010 Virus Bulletin conference in Vancouver, Canada.

Sophos PDF Detection chart

Paul shared his analysis of clean and malicious PDF samples and showed the characteristics of PDFs that indicate how dangerous a given sample may be.

PDF is an open standard, and as a result many applications can create and render them. One disadvantage this presents is that readers must be far more forgiving then they really ought to be. They ignore syntax errors, correct broken tags and many other issues which can be used to the advantage of the people exploiting the format.

Near the end of his session Paul asked the audience whether it was time to put PDF to bed and replace it with a SDF or Secure Document Format. 75% of the audience agreed it was time to start over, whereas 3% thought things were just fine. Adobe, is it time to introduce PDF 2.0? Paul also asked Adobe to remove JavaScript support from the PDF format based on the result of his research.

The PDF format is badly in need of an overhaul. Adobe has announced they will be adding a sandbox capability to Adobe Reader to help address the security concerns administrators have with their application. Based upon Paul’s research sandboxing will not go far enough to secure Reader.

PDFs do wonders for productivity and consistency, but it is time to implement the lessons we have learned. /JavaScript, /OpenAction, and /Launch all need to be retired if we truly want SDFs to be a reality. With the market share Adobe enjoys it would be a welcome site to see them lead the way for others to make computing on the internet a safer place.

Paul’s paper is now available, as well as his presentation. Both papers are in PDF/A format for your convenience.