Twitter / mailforlen

« attacks against IIS6 increasing - upgrade to IIS 7 | HomePage | financial risk : which banks lost money in Kaupthing defaulting »

03/18/2010

PDF is becoming a malware standard an sich

If you neglect security and only think about functionality you will become malware with much functionality but with no security and you will lose all the trust that you have built your business on. Untill lately PDF was the main standard in business and government and everything would use PDF (from online forms to archiving to digital signing). It would all become PDF for Microsoft Haters. Everything except Microsoft and as Open Office is just struggling to become something that works good enough and is interoperable enough, PDF would become the leader of the 'everything but Microsoft' solutions.

In the beginning it was also normal to chose PDF because unlike Office Document you couldn't add scripts and instructions to those documents. It were just stupid documents that you used to print and that you were sure could be read by anyone everyhere.

But on the road to total stardom Adobe has forgotten that as you add functionality you should also heighten the security if you don't want to sink away in viruses, attacks and worms. Even better, most of the code became open source or public and so the malware coders (which are not always stupid but have sometimes very intelligent people working for or with them) had access to everything they need to know to make their own malware so difficult to find that there is no protection left.

First they have changed the insertion of their malware code from external javascript code that you could block to internal ADOBE PDF instructions that are hidden and that would be difficult to detect without too many false positives.

Now they have gone even a step further and they have encrypted that code so that even if it is detected if couldn't be analysed by an antivirus tool.

"Senior threat response engineer Vincent Cabuag adds that this relatively new encryption technique renders standard analysis tools useless in detecting the malicious script inside the .PDF file. The malicious script is obfuscated in a way that it requires the usage of certain APIs to be decrypted. Thus, it would require manual analysis to be able to emulate the embedded script."


It is strange that Microsoft was some years ago under so much pressure from their clients and investors that they had to work harder on Vista and security in general and invested millions in better security in the development process and much more in awareness and response, that no one is calling PDF to order.

There is one solution for Adobe although. Give us a stupid reader with no other functionality than to read, search and print a PDF document. All the rest is not that important. Meanwhile you can work on re-securing and closing down your standard if you find it important to have still a business in a few years.

Should you block PDF ? No this is impossible. But you will have to look at sandbox technologies or functionality. It is important that antivirus products insert such a technology.

A sandbox functionality means that everything you download or gets downloaded from the internet will go to one closed folder. Nothing can go out of the folder untill you 'release' it by hand and even than the antivirus can re-analyse it because it is sometimes simpler and better to analyse a downloaded file than a file that is downloading. You would be astonished from the stuff that arrived on your machine will downloading or surfing on the internet. You should even be able to protect it with a password so that even if you are not the account, the surfer (your kids) can only install things on the machine or go through their downloaded stuff if they know the password.

13:13 | Permalink | Comments (0) | Email this | |  del.icio.us | | Digg! Digg |  Facebook

Post a comment