Finding rules for heuristic detection of malicious PDFs: With analysis of embedded exploit code

Finding rules for heuristic detection of malicious PDFs: With analysis of embedded exploit code

The use of PDFs as a vector for the installation of malicious content has been on the rise over the last few years. This has been for numerous reasons, some of which are the ubiquity of the file format (not browser or platform dependent), the update mechanisms for Adobe, and also the many and various exploit kits.

Methods for detection and classification of malware have been focused on EXE, MS Office and HTML analysis and the lack of research in PDF is telling. In this paper we show some tips and tricks to help with classification and detection of malicious PDFs. This will be achieved by both static and dynamic analysis of malicious files and Internet-derived corpuses of potentially clean files.

As well as communicating these results, the presentation will augment them with analysis of current threats and case studies of whole attacks.

This paper was presented at Virus Bulletin in Vancouver, 2010

Download
Finding rules for heuristic detection of malicious PDFs: With analysis of embedded exploit code

Author

Paul Baccas

Paul O Baccas joined Sophos in 1997 after studying Engineering Science at Oxford University. Currently, he is employed as a virus and spam researcher for SophosLabs. Paul has published several papers, and was a technical editor for the "AVIEN Malware Defense Guide." He has written articles for security industry journal Virus Bulletin and is a frequent contributor to the SophosLabs blog under his nom-de-plume "Pob."

via sophos.com