PDF file obfuscation


Portable Document Format (PDF) has become one of the most widely used file formats for exchanging documents in businesses and institutions all over the world. Developed by Adobe, the file format has become one of the most common tools for targeted attack by hackers and can be extremely dangerous to use.
Adobe wanted to develop a product that could process any files a business could possibly need and came up with Adobe Acrobat. Adobe Acrobat was mostly written in the 1990s with almost 15 million lines of code. For perspective, most operating systems at the time had less than 12 million lines of code and sophisticated internet browsers ran on less than 3 million at the time. The PDF file format was released in 1993 by Adobe as a solution for dealing with Postscript, the previous popular document viewer.
One of the major issues in dealing with Postscript was its approach to displaying graphics. If a file was opened on page 250 in a given document, Postcript would generate the preceding 249 pages for the computer to deal with. Adobe developed a solution by turning the text and visuals in the document into objects. By doing so huge files could be opened to any page at relatively the same rate as other documents, and so PDF was quickly accepted as the de facto standard for exchanging static information. Because of its widespread use and versatile capabilities, Adobe wanted to continue developing the file type by incorporating exotic features such as 3D graphics in 2004 and later integrating Flash player in 2008.
Security researchers like Dider Stevens and Julia Wolf played with PDF files and found that Adobe Acrobat assumes that an opened PDF file is properly formatted and structured. However, Adobe does not specify ways to generate these programs or to validate the integrity of the files themselves. Malicious code using languages like JavaScript can be inserted to corrupt the files and cause the PDF to behave much differently than originally intended. With the addition of Flashbridging, permissions to webcam and audio access could also potentially be accessed.

Researchers from the Sysadmin Audit Network Security institute, a company specializing in information and cyber security, showed that attackers exploiting PDF documents can not only access administrative permissions in a victims computer but also automate the process using publicly available penetration testing software. Anti-virus software is mindful about how long it takes to scan a file and return it to the user so it doesn’t have time to execute every line of code. Even if the software did scan every line, the scan could come up with false negatives. By splitting malicious code into chunks unintelligible to the anti-virus scanner, the code can be obfuscated and then reassembled when the user opens the file.

Adobe needs to reassess how it reads PDF files in Adobe Acrobat. Malformed documents are a real threat to businesses and users dealing with sensitive information. Be careful when opening up strange PDF document files from emails, because sometimes the spam folder is not enough.