Tuesday, October 12, 2010

Sophos articles on malicious code

Couple of pdf's on malicious code.

1. Want my autograph? The use and abuse of digital signatures by malware

http://www.sophos.com/security/technical-papers/digital_signature_abuse.pdf

Interesting article on the use of stolen certificates in modern malware.

2. FINDING RULES FOR HEURISTIC DETECTION OF MALICIOUS PDFS: WITH ANALYSIS OF EMBEDDED EXPLOIT CODE

http://www.sophos.com/security/technical-papers/malicious_pdfs.pdf

What to look for in malicious pdf's

highlights of that one

Heuristic 1: If the PDF contains JavaScript look more closely

Heuristic 2: If the objects or streams are mismatched look more closely

Heuristic 3: If the Cross-Reference (XRef) Table is invalid look more closely

Heuristic 4: The presence of LZWDecode, ASCII85Decode, DCTDecode and Encrypt Filter are indictative of clean files

Heuristic 5: Hash (#) encoded tags are indictative of malicious files

These comments appear to be based on the use of Adobe Acrobat Reader as the infection vector. Sumatra PDF reader, which doesn't support Flash or Javascript, might be an interesting alternative to get away from a lot of these problems.
Posted by simon at 1:01 PM

0 comments:

Post a Comment

 
Copyright 2009 Security Monkey. Powered by Blogger Blogger Templates create by Deluxe Templates. Sponsored by: Website Templates | Premium Themes. Distributed by: blog template