Obfuscation and (non-)detection of malicious PDF files. Jose Miguel Esparza

Similar documents
Digital Forensics Lecture 02B Analyzing PDFs. Akbar S. Namin Texas Tech University Spring 2017

Lab 1: UPX Program Packer. From what we see here Netcat s MD5 is (AB41B1E2DB77CEBD9E EE3915D)

Digital Forensics Lecture 02 PDF Structure

Malicious Document Analysis Beginners Guide.

PDF. Applying File Structure Inspection to Detecting Malicious PDF Files. Received: November 18, 2013, Accepted: July 11, 2014

Language English. Server load. Suspicious file(s) to scan:

Detection of Suspicious PDF Document- Embedded Code

BULK ANALYSIS OF MALICIOUS PDF DOCUMENTS. by Shauna M. Policicchio B.S., Saint Vincent College, 2013

AhnLab-V AntiVir Antiy-AVL Avast

Portable Document Format (PDF): Security Analysis and Malware Threats

Threat Modelling Adobe PDF

A Short Introduction to PDF

APatternRecognitionSystem for Malicious PDF Files Detection

Analysis # Sample: Important_WellsFargo_Doc.exe (70e604777a66980bcc751dcb00eafee5) Analysis # /10/ :12 pm

Portable Document Malware, the Office, and You

Antivirus. Sandbox evasion. 1

Getting Owned By Malicious PDF - Analysis

Analysis # Sample: Scan_ _29911.exe (8fcba93b00dba3d182b1228b529d3c9e) Analysis # /12/ :41 pm

Analysis # Sample: ss32.exe ( a6e6d b453e73d) Analysis # /08/ :33 pm

Anti-Virus Comparative No.1

Anti-Virus Comparative No.7

Vulnerability Report

Analysis # Sample: google_born_help.exe (584fe856bb348e0089f7b59ec31881a5) Analysis # /05/ :34 pm

DETECTING PDF JAVASCRIPT MALWARE USING CLONE DETECTION

PDF in Smalltalk. Chris1an Haider

Honeypots observations and their usefulness

Anti-Virus Testing and AMTSO

k-depth Mimicry Attack to Secretly Embed Shellcode into PDF Files

ID: Sample Name: A Lire..pdf Cookbook: defaultwindowspdfcookbook.jbs Time: 16:55:31 Date: 07/03/2018 Version:

A glance into the Eye Pyramid

QPDF Manual. For QPDF Version 7.1.0, January 14, Jay Berkenbilt

Abusing File Processing in Malware Detectors for Fun and Profit

Static Detection of Malicious JavaScript-Bearing PDF Documents

ESAP Release Notes

ESAP. Release Notes Build. Oct Published. Document Version

Jsunpack-n: Network Edition. Blake Hartstein Rapid Response Engineer VeriSign idefense

Vulnerability Landscape

ExeFilter. An open-source framework for active content filtering. CanSecWest /03/2008

INCIDENT RESPONSE. Antiviral shortcomings with respect to real malware. Malware Detection. Gary Golomb

Anti-Virus Comparative Summary Report 2008

RTTL Certification Test - March Language: English. March Last Revision: 8 th April

Anti-Virus Comparative

ESAP. Release Notes. Release, Build Published Document Version February

City, University of London Institutional Repository

Anti-Virus Comparative No.8

Browser Exploits? Grab em by the Collar! Presented By: Debasish Mandal

Insecurity in Security Software

Anti-Virus Comparative No.4

Accessing your Check Point VPN

TERM OF REFERENCE PROVISION FOR DEVELOPMENT OF MyEMAS SYSTEM, CYBERSECURITY MALAYSIA

Anti-Virus Comparative. Factsheet Business Test (August-September 2018) Last revision: 11 th October

UC Davis UC Davis Previously Published Works

PassMark S O F T W A R E

A Study of the Relationship Between Antivirus Regressions and Label Changes

WebShell AV signature bypass and identification C99 Webshell case study. Gil Cohen, CTO

QPDF Manual. For QPDF Version 2.2.0, August 14, Jay Berkenbilt

How to use a computer safely Tips and Tricks. Dr. Pierre Darmon

Malware Initial Findings Report (MIFR)

The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else

Presentation by Brett Meyer

THE WOMBAT API handling incidents by querying a world-wide network of advanced honeypots

1. I am a Computer Forensics Researcher with Kyrus Technology. I make this

Anti-Virus Comparative

AXIGEN Features and Supported Platforms

Malicious origami in PDF

The ABC of PDF with itext

CONSUMER AV / EPP COMPARATIVE ANALYSIS

SSQA Seminar Series. Server Side Testing Frameworks. Sachin Bansal Sr. Quality Engineering Manager Adobe Systems Inc. February 13 th, 2007

PDF PDF PDF PDF PDF internals PDF PDF

SECURE2013 ANDROTOTAL A SCALABLE FRAMEWORK FOR ANDROID ANTIMALWARE TESTING

Free antivirus software download

ESAP Release Notes

SQL Parsers with Message Analyzer. Eric Bortei-Doku

Symantec Endpoint Protection 12

ELIMINATING ZERO-DAY MALWARE ATTACKS IN DOCUMENTS DO NOT ASSUME OPENING A NORMAL BUSINESS DOCUMENT IS RISK FREE

ESAP. Release Notes. Release, Build Published Document Version December

CSCD 303 Essential Computer Security Fall 2018

PDF Essentials. The Structure of PDF Documents

McAfee Web Gateway

Network Performance Test. Business Security Software. Language: English August Last Revision: 11 th October

Management Tools. Management Tools. About the Management GUI. About the CLI. This chapter contains the following sections:

Jsunpack: An Automatic JavaScript Unpacker

Cisco Advanced Malware Protection (AMP) for Endpoints

ESAP Release Notes. ESAP and Junos Pulse Secure Access/Access Control Service Compatibility Chart:

ID: Sample Name: IF-BOQ for Grupo Salinas Demo Test_#Uff ) ( )quotation.pdf Cookbook: defaultwindowspdfcookbook.


ESAP. Release Notes. Release, Build Published Document Version November

ESAP Release Notes. ESAP and Junos Pulse Secure Access/Access Control Service Compatibility Chart:

CSCD 303 Essential Computer Security Fall 2017

Destructive Malware 12 February 2015

Abusing JSONP with. Michele - CVE , CVE Pwnie Awards 2014 Nominated

Self-Learning Systems for Network Intrusion Detection

The Future of PDF/A and Validation

How To Remove Xp Internet Security 2011 Virus Manually

How To Manually Uninstall Symantec Antivirus Corporate Edition 10.x Client

ID: Sample Name: Curriculum Empresarial.pdf Cookbook: defaultwindowspdfcookbook.jbs Time: 17:52:22 Date: 09/11/2017 Version: 20.0.

How To Remove Internet Security Pro Virus. Manually >>>CLICK HERE<<<

Test Strategies & Common Mistakes International Antivirus Testing Workshop 2007

TH IRD EDITION. Python Cookbook. David Beazley and Brian K. Jones. O'REILLY. Beijing Cambridge Farnham Köln Sebastopol Tokyo

Obfuscating Transformations. What is Obfuscator? Obfuscation Library. Obfuscation vs. Deobfuscation. Summary

Transcription:

Obfuscation and (non-)detection of malicious PDF files Jose Miguel Esparza

Agenda Introduction to the PDF format Obfuscation and evasion techniques Obfuscation vs. Antivirus Obfuscation vs. Analysis tools peepdf Conclusions

Header Body Cross reference table Trailer

Introduction to the PDF format Sequence of objects Object types Boolean: true false Numbers: 123-98 4. -.002 123.6 Strings: (hola) <686f6c61> Names: /Type /Filters Dictionaries: <</Type /Catalog /Root 1 0 R>> Arrays: [1.0 (test) <</Length 273>>] Streams

Introduction to the PDF format

Introduction to the PDF format Object types Indirect objects Reference: object_id generation_number R

Introduction to the PDF format Object types Indirect objects Reference: object_id generation_number R

Introduction to the PDF format Updatable documents Older versions stay in the document Header Body Cross reference table Original Trailer Body Cross reference table Update Trailer

Introduction to the PDF format Logical structure Tree structure Root node: /Catalog If an element isn t in the downward path from the /Catalog DOES NOT EXIST

Introduction to the PDF format

Introduction to the PDF format Actions /Launch /Javascript /GoToE (go to embedded) /URI /SubmitForm Triggers /OpenAction: global /AA: pages, annotations

Introduction to the PDF format

Introduction to the PDF format Actions /Launch /Javascript /GoToE (go to embedded) /URI /SubmitForm Triggers /OpenAction: global /AA: pages, annotations

Introduction to the PDF format

Introduction to the PDF format

Introduction to the PDF format

Practical example pdf.pdf (2009)

Automatic execution Avoid /OpenAction Use of /Catalog elements /Names /AcroForm /AA: applied to pages, annotations

Strings to avoid/hide /JavaScript /JS More than two unescape in Javascript code Characteristic metadata /pdftk_pagenum

Strings to avoid/hide /JavaScript /JS More than two unescape in Javascript code Characteristic metadata /pdftk_pagenum

Suspicious objects? Strings (21/43) vs. Streams (27/43) Filters Avoid known filters: /FlateDecode /ASCIIHexDecode Parameters (included default ones) Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ]

Suspicious objects? Strings (21/43) vs. Streams (27/43) Filters Avoid known filters: /FlateDecode /ASCIIHexDecode Parameters (included default ones) Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ]

Strings/names encoding Names Hexadecimal codification Strings /Fl#61#74#65De#63#6f#64e (/FlateDecode) Hexadecimal <7368656c6c636f6465> Octal values \163\150\145\154\154

Strings/names encoding Names Hexadecimal codification Strings /Fl#61#74#65De#63#6f#64e (/FlateDecode) Hexadecimal <7368656c6c636f6465> Octal values NO! \163\150\145\154\154

Splitting up Javascript code Several objects in /Names /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R] Functions to obtain parts of the document getannots() getpagenumwords()/getpagenthword() this.info.*

Duplicated objects Updated objects Malformed documents Garbage bytes in the header Bad version number (%PDF-1.\0) No xref table No ending tags: endobj or endstream

Duplicated objects Updated objects Malformed documents Garbage bytes in the header Bad version number (%PDF-1.\0) No xref table No ending tags: endobj or endstream

Duplicated objects Updated objects Malformed documents Garbage bytes in the header Bad version number (%PDF-1.\0) No xref table No ending tags: endobj or endstream

Compressed objects (object streams) Incompatible with malformed documents Encryption /Encrypt (streams and strings) RC4 o AES (40-128bits) Default password padding = \x28\xbf\x4e\x5e\x4e\x75\x8a\x41\x64\x00\x4e\x56\xff\xfa +\ \x01\x08\x2e\x2e\x00\xb6\xd0\x68\x3e\x80\x2f\x0c\xa9\xfe\x64\x53\x69\x7a password = password + padding[:32-(len(password))] password = password = padding Nested PDFs /EmbeddedFiles

Compressed objects (object streams) Incompatible with malformed documents Encryption /Encrypt (streams and strings) RC4 o AES (40-128bits) Default password padding = \x28\xbf\x4e\x5e\x4e\x75\x8a\x41\x64\x00\x4e\x56\xff\xfa +\ \x01\x08\x2e\x2e\x00\xb6\xd0\x68\x3e\x80\x2f\x0c\xa9\xfe\x64\x53\x69\x7a password = password + padding[:32-(len(password))] password = password = padding Nested PDFs /EmbeddedFiles

Compressed objects (object streams) Incompatible with malformed documents Encryption /Encrypt (streams and strings) RC4 o AES (40-128bits) Default password padding = \x28\xbf\x4e\x5e\x4e\x75\x8a\x41\x64\x00\x4e\x56\xff\xfa +\ \x01\x08\x2e\x2e\x00\xb6\xd0\x68\x3e\x80\x2f\x0c\xa9\xfe\x64\x53\x69\x7a password = password + padding[:32-(len(password))] password = password = padding Nested PDFs /EmbeddedFiles

Mixing techniques Summary: Remove characteristic strings Split up Javascript code (/Names) If the code is in: String octal encoding (\143\172) Stream filters (not usuals, parameters) Compress (object streams) Encrypt (default password) Malform (endobj, header) Nest PDFs

Obfuscation vs. Antivirus Better results JS in string + octal + no characteristic strings object stream malformed + nested + filters with parameters (0/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739 filters with parameters + malformed (0/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 malformed: endobj, bad header (2/43) http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405 encrypted (5/43) http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113 Exploit working

Obfuscation vs. Antivirus Updates JS in string + octal + no characteristic strings object stream malformed + nested + filters with parameters (1/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1303817670 filters with parameters + malformed (3/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 malformed: endobj, bad header (6/43) http://www.virustotal.com/file-scan/report.html?id=c3c50596b8deccb128f943d050a16b7652db54fe476e68db7b8c01b02ab77176-1303829263 encrypted + nested + malformed (1/43) http://www.virustotal.com/file-scan/report.html?id=95c60679269acb4c7d7bcd3a8f0b88b1bb4fdab402a16b779a8f0d3867be7fd4-1303833454 Exploit working

Obfuscation vs. Antivirus Antivirus AntiVir Avast AVG BitDefender ClamAV Commtouch DrWeb F-Secure Fortinet GData Kaspersky McAfee Weak points JS in string, without JS strings Embedded, no endobj, Flate params Embedded, Flate params, characteristic strings, without JS strings Characteristic strings, octal strings Flate params, octal strings, bytes header Flate params, octal strings, encrypted Characteristic strings, octal strings Splitted up JS code, octal strings, bytes header, object streams Flate params, splitted up JS code, bytes header, metadata No endobj, Flate params Flate params, characteristic strings, splitted up JS code, object streams Execution with /Names, embedded, characteristic strings, hexadecimal names, octal strings, without JS strings

Obfuscation vs. Antivirus Antivirus McAfee-GW Microsoft NOD32 Panda Prevx Sophos Symantec TrendMicro VBA32 VirusBuster Weak points Flate params, characteristic strings, octal strings Splitted up JS code, octal strings, bytes header, object streams Embedded, characteristic strings, bad header (%PDF-1.\0) JS in string, without JS strings No detection Without JS strings, object stream + malformed endobj, encrypted Original detection as Downloader, JS in string, without JS strings No detection Characteristic strings No detection

Obfuscation vs. Analysis tools Tools Wepawet PDFDissector PDFStreamDumper pdf-parser (Didier) OPAF Origami PDFExaminer malpdfobj Comments No encryption support, identifies exploits in embeded PDF files Comercial, not tested Tools to help shellcode/js analysis, errors with encryption, does not analyse object streams Search in streams not supported, 3 filters, object streams and encryption not supported Parsing framework, XML output, encryption not supported Good framework (filters, object streams, encryption), it s necessary to code your own tool (Ruby) Encryption and embeded PDF files support, does not support malformed objects, octal decoding Based on PDFTools (Didier Stevens)

Obfuscation vs. Analysis tools

Obfuscation vs. Analysis tools Tools Wepawet PDFDissector PDFStreamDumper pdf-parser (Didier) OPAF Origami PDFExaminer malpdfobj Comments No encryption support, identifies exploits in embeded PDF files Comercial, not tested Tools to help shellcode/js analysis, errors with encryption, does not analyse object streams Search in streams not supported, 3 filters, object streams and encryption not supported Parsing framework, XML output, encryption not supported Good framework (filters, object streams, encryption), it s necessary to code your own tool (Ruby) Encryption and embeded PDF files support, does not support malformed objects, octal decoding Based on PDFTools (Didier Stevens)

peepdf Characteristics Python Command line Interactive console Command file option http://peepdf.eternal-todo.com

peepdf http://peepdf.eternal-todo.com

peepdf Analysis Encrypted files Compressed objects Malformed documents support Decoding: hexadecimal, octal, names Most used filters (5) References in objects and to objects Strings search (including streams)

peepdf Analysis Physical structure (offsets) Tree structure (logical) Metadata Changes between versions (changelog) Extraction of different versions Javascript analysis and modification (Spidermonkey) unescape, replace, join Shellcode analysis (sctest, Libemu) Variables to improve analysis (set command)

peepdf Creation/Modification Basic PDF creation Creation of PDF with Javascript execution Object compression (object streams) Encrypted files Nested PDFs creation Malformed PDFs Strings and names codification Filters modification Object modification

Demo time!

peepdf TODO Automatic analysis of embedded PDFs Missing filters Improve automatic Javascript analysis Add support for PDF JS functions (getannots ) GUI ActionScript?

Conclusions Very low detection when: Nested PDFs Compressed objects New filters or filters with parameters Encryption Avoid detection by strings Improve parsers

Thanks People working with PDF stuff: Julia Wolf Didier Stevens Felipe Manzano (feliam) Origami team Brandon Dixon AV companies

???

Thanks!! Jose Miguel Esparza jesparza eternal-todo.com jesparza s21sec.com http://eternal-todo.com @eternaltodo

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback