Malicious PDF files

In this video, security researcher and expert on malicious PDF files Didier Stevens discusses how these files work and offers protection tips.

For more security-related material visit Help Net Security: http://www.net-security.org

---

Closed Caption:

cool the pool
the bold
I'm I'm did you Stevens I am la guerra
I'm with the pool I research that I want
to publish
it's a local closed lower don't did you
see this
don't go and the my main interests
all application security BDS
also hardware Aki RFID lot of
them still and %uh know you're on weak
dollar pizza
both PDF and not the PDF language
in itself because I don't know old the
it you know it happens to me that people
ask me
for example eiffel result align
PDF document and the I wanted and Anglo
45 degrees to the asked me not to do
that and I don't know
because I'm I'm not be a specialist a
I became a and a specialist in analyzing
malicious
be used so I know lot about malicious
peers
the the nineteen years that's not like a
fifty
so PDS Moses BDS
in itself PDF language and
the latest readers for PDF documents
a well-designed 04 the security
you have a javascript that can be
executed inside PDF document
but the JavaScript yes actually
no rights it is in a sandbox insight
that PDF real and cannot affect your
computer for example he has no rights
whatsoever
to reads alright one of your files
on the only thing for example which
finds it can do
if you can bet file in a
be a fun so dignified
and that it on-site to be a fun then I
can try to JavaScript
that will right that file in one of your
temporary folders that the only place
when I can with that file that's his
site
a than 20-fold there is also a
restriction but
I profiles any executable files not only
X's boundaries would also love script
times like the
let's see PBS those types I can never
exports a 12 with them insights be a
document you can never
get them out key and
on extra the security measure by the
the just-released when I do that all
duration:
inside my javascript did you read it
will receive a book
to tell you that to be.
documents trying to write fun to deploy
a full
and asking you if you want it or not so
seats in a sandbox it s a no
real I'll but the
issues going phone books inside of
JavaScript
into and also in the sup sorry
in the PDF language itself and
exploiting those books
renders PDF documents malicious
so say fun talking both malicious PDF
its PDF mostly with it
JavaScript that exploits the
like you the been thin the
there was a control weather but think
about six or seven
months ago they will see the so you have
a that JavaScript that exploits
that the hong in the meantime also
there's a huge tree
so that when the activates
there is a chance that control processor
is lost to something
so many memories wave phone that heaps p
and that he switches always the same its
Chilkoot
and when that's no good executes it will
and I'm no I'm talking about a.m.
malicious PDF
you find in the wild note
proof-of-concept
PDF on school targeted PDF files the
just the
gonna malicious PDF us you can find in
the wild
on do those they will always do the
following: team
the Chilkoot always the same one
its starts executing it
dominoes the file from the internet and
execute from the internet
it saves that's fine in the system32
directly of your operating system and
treatment execute its fine
thats between convinced that that
malicious PDF documents to
and then of course if you all
local mean Daniel machines don't use
goes to find the download file we'll in
itself then
downloads toward for example or
other software to make your machine part
of a botnet
and that can date over your complete
computer not to protect yourself
against the such attacks US
the usual protection mechanisms like
your anti-virus
the application the finals and
stuff like that but the
mean protection in fact photos
malicious PDF files in the world he just
not to run it
this local me because if you remember
I told you all the so-called rights
system 32
if you are looking at me you can't write
in system32
and to show who it is really small so
good because they have to
be able to feed heaps great
if that up call to see if
the fun into the system 32 don't be too
feels
shell good adjustables and you PDF
reader I will just crash
%uh what's a bit more %uh in sieges in
Nha
in PDF a explodes this when
you exploit those im the EDS language
itself like it was a
DG G two BQ too big to the goat
other and strictly speaking it's not
the bf language itself it's part of an
each including standard that this part
of the PDF language
there was a book in several books
insight
that surrendering engine and you can't
read that book
we does needing on Shabbat because the
book is not
JavaScript but the of course the
squeaked key so exploit riders
Willis kill they will always use
JavaScript because they have standard
that he'd taken
com weekend the could be based
and that is to a before heaps three with
the shellcode
that will execute the cause but
if you're clever in the
building expose you could find a way to
exploits that GB to gold we don't even
actually
a needing JavaScript and that's a whole
other level
of PDF exploit on you are not
anymore relying on PBS so if the user as
the zeal
PDF it will still but review and the
thing is also with
if you will the dealing with such kind
of exploits
is that home Windows machines with the
Acrobat Reader installed you on not only
'em have to be aware of
use actions can also in some special
circumstances
triggered automatically so we don't user
interaction for example
a due to the Windows indexing service
if you uninstall a copout on a Windows
machine
was on Windows XP machine that this
Windows indexing
services it will also install and I feel
that and I filter
is a the deal special he's of
program that we'll provides
the windows indexing service with the
capabilities
to read inside PDF file and those index
that PDF file with more meaningful text
because it knows
was insight to the media for document
okay so once that file is stored on the
hard disk
it will be indexed by indexing service
and the exploit will create and execute
and a the beach problem is the two
windows indexing services running on the
system account
so even if it is to the user would
restricted
rights that the was that PDF document
in his local love these documents then
it will be indexed by
service that has local system writes and
then
that PDF document can take over complete
machine
by downloading our the appropriate role
petroleum