Cybercriminals Exploit PDF Picture Filter to Embed Malware

Avast! Virus Lab has discovered a dirty trick that cybercriminals are using to encode malware exploits and payloads into PDF files. Avast! says that the this trick has been used in a relatively small number of attacks, as well as one targetted attack.

The vulnerability was found in the JBIG2Decode filter, a feature specifically intended for compressing monochrome images, and allowed attackers to use the JBIG2Decode specifications hide their encoded malicious paylod in order to get past antivirus scanners without being detected. The dangerous encoded content is targets a flaw identified as CVE-2010-0188, which allowed attackers to cause Adobe Reader and Acrobat to crash–and possibly gain complete control of your system.

According to Jiri Sejtko, Avast’s senior virus analyst, “the JBIG2 algorithm works here because any data–text or binary–can be declared as a monochrome two-dimensional image.” Sejtko also says that they hadn’t expected anyone would use a pure image algorithm for something that’s not an image.

Adobe patched the vulnerability in current versions of Adobe Reader, however, older versions of the program are still affected. As always, you should keep Adobe up to date and on automatic update if possible. For more information on this vulnerability visit the Avast! Blog.

[Avast]