Last Friday I was at ReCon in Montreal to give a talk about obfuscated PDF malware. I got the idea for the talk during my work on PDF Dissector where I saw a lot of obfuscated PDF malware. The obfuscation I saw in the wild was mostly very limited and the malware authors did not seem to think things through to the very end. I took the opportunity to think a bit further about the whole topic of PDF malware obfuscation and a few of the result of these thoughts can be seen in the slides below. If you do not have Flash enabled, click here to download the slides.
[slideshare id=4745445&doc=howtoreallyobfuscateyourpdfmalware-100713095253-phpapp01]
very interesting.
I can’t decide if the ‘Adobe JS’ trick is funny or sad, though
[…] Sebastian Porst: "How to really obfuscate your PDF malware" […]
[…] A Time Killer (getPageNthWord,CVE-2008-2992,CVE-2007-5659,CVE-2009-0927,CVE-2009-4324) 2010-07-13: ReCon slides – How to really obfuscate your PDF malware 2010-07-20: PDF time bomb (CVE-2008-2992,CVE-2007-5659,CVE-2009-0927) 2010-08-04: PDF Exploit: […]