Upload
ahmed-hesham
View
110
Download
0
Embed Size (px)
Citation preview
Malicious PDF FilesPresenter: Ahmed Hesham Abd El-Hameed KamalStudent Code: 1083128Course: [CMP N426] Computer Systems SecuritySemester: Spring 2013
Cairo UniversityFaculty of EngineeringCredit Hours System
05/02/2023 [CMP N426] Computer Systems Security
AgendaIntroductionClient-Side AttacksMalicious Content FilesDetection, Analysis and CleanupRecorded Incidents
2 of 18
05/02/2023 [CMP N426] Computer Systems Security
IntroductionWho has access to the network?Who has access to the systems?Who has access to the data?Who has access to the Internet from inside
the network?Who has access to the assets?Who has access anytime to all above?
3 of 18
05/02/2023 [CMP N426] Computer Systems Security
Introduction (Cont.)
The User
4 of 18
05/02/2023 [CMP N426] Computer Systems Security
Client-Side Attacks“An attack that targets the user’s computer
environment.” – Jamie Riden, Honeynet Project.
Very dangerous
High success ratio
Hard to detect
Most common type of attacks found today5 of 18
05/02/2023 [CMP N426] Computer Systems Security
Client-Side Attacks (Cont.)
Adobe Acrobat Reader
49%Microsoft Word39%
Microsoft Excel7%
Microsoft PowerPoint5%
Targeted Attacks
6 of 18
Most common file types in a targeted attack (F-secure, 2009)
05/02/2023 [CMP N426] Computer Systems Security
Client-Side Attacks (Cont.)
Attacker poses to the user as a service provider (email, website, files, etc)
Client is tricked/forced to communicate with the malicious service provided
Service provider then exploits a vulnerability in the client’s environment
Social engineering is often used as a part of this attack
7 of 18
05/02/2023 [CMP N426] Computer Systems Security
Malicious Content FilesA piece of malicious code is embedded into
the contents of the file
Example: PDF files
8 of 18
05/02/2023 [CMP N426] Computer Systems Security
Malicious Content Files (Cont.)
PDF file is based on PostScript programming language
Industry standard for communicating documents
A typical PDF consists of:HeaderList of objectsCross reference tableTrailer
9 of 18
05/02/2023 [CMP N426] Computer Systems Security
Malicious Content Files (Cont.)
PDF files use a hierarchical structure
Objects in the document are arranged in the form of a tree
Rendering engine traverses the tree of objects
10 of 18
05/02/2023 [CMP N426] Computer Systems Security
Detection, Analysis and CleanupA great set of tools for detection and analysis
of PDF files was created by a security researcher called Dider Stevens
Includes:pdf-parser.pymake-pdf tools:
make-pdf-javascript.py make-pdf-embedded.py
pdfid.pyPDFtemplate.bt
11 of 18
05/02/2023 [CMP N426] Computer Systems Security
Detection, Analysis and Cleanup (Cont.)
pdfid.pySearches for certain PDF keywordsIdentifies PDF documents that contains JS or
executable actions upon openCan handle name obfuscationFirst tool to be used in the analysis of a
suspected file
12 of 18
05/02/2023 [CMP N426] Computer Systems Security
Detection, Analysis and Cleanup (Cont.)
13 of 18
05/02/2023 [CMP N426] Computer Systems Security
Detection, Analysis and Cleanup (Cont.)
pdf-parser.pystats: display statistics of the objects found in
the PDF documentsearch: not case-sensitive, and is susceptible
to the obfuscation techniquesfilter: applies the filter(s) to the streamraw: makes pdf-parser output raw dataobjects: outputs the data of the indirect object
which ID was specifiedreference: allows selection of all objects
referencing the specified indirect object
14 of 18
05/02/2023 [CMP N426] Computer Systems Security
Detection, Analysis and Cleanup (Cont.)
15 of 18
05/02/2023 [CMP N426] Computer Systems Security
Detection, Analysis and Cleanup (Cont.)
Attackers are not stupid (most of them are, but you get the point)
ObfuscationHexadecimalOctalString SplittingWhite SpacesString Randomization
EncodingBase64, FlateDecode, ASCIIHexDecode, Unescape, etc
Encryption16 of 18
05/02/2023 [CMP N426] Computer Systems Security
Detection, Analysis and Cleanup (Cont.)
Remove the file extension of the malicious file. Prevent the code from being executed let’s say by a thumbnail viewer, etc.
Disable Adobe iFilter, which is used for meta-data indexing (search):Regsvr32 /v AcroRdIf.dll
OR have a nice day using:
A Linux system to analyze Windows infected content…
17 of 18
05/02/2023 [CMP N426] Computer Systems Security
Recorded Incidents 2012: United States Department of Defense
A PDF named "Agenda_Web_(8-24-12).pdf" was found to contain an embedded malicious executable with encrypted reverse shell functionality. When executed, a connection on port 443 is attempted to an external location. If the connection is successfully established, the malware negotiates an SSL session with the remote host and a reverse shell is established. The latest virus definition update from various Anti-Virus vendors detects the malicious executable as a generic Trojan horse program.
2010: SpiderLab's Incident Readiness Service - Incident Response The PDF file analyzed was found to contain an embedded packed (NsPack)
malicious executable. In order to thwart analysis upon execution, the malicious executable runs a series of checks to ensure it is not running within a typical malware analysis environment. Once these checks are completed, an instance of Internet Explorer is launched. Internet Explorer is then utilized to establish a connection via HTTP to two distinct external locations. If a connection is established to either location, information regarding the local system is sent. The malware contains functionality for downloading and executing additional malicious programs chosen by the attacker.
18 of 18