When PDFs And Flash Files Attack

It's getting harder to protect our users from threats coming at them from seemingly trusted places. The Websites they've been using for years are suddenly the source of attacks through malicious advertisements being pushed to the "trusted" site by a third-party advertising service. File format attacks against Adobe's Flash and Acrobat are becoming the exploit du jour for attackers.The most recent attacks against Adobe Acrobat could be just the tip of the iceberg, according to a recent report. Analyzing these attacks is not always an easy task. One of the first steps is often to submit a suspicious Adobe Acrobat, Microsoft Word, or similar document types to Virus Total for analysis; however, the sensitivity of the environment may not allow for files to be sent outside for analysis.

If you're in that situation or are the type who just likes to get your hands dirty, then I've got some tools and resources to help you jump right into file analysis of Adobe Flash and Acrobat files. For Flash files, I typically use SWFTools to pull out strings that might indicate malicious intent, extract embedded files, and scripts. There is also Flare and a tool I just saw mentioned at Paul Melson's blog called Sothink SWF Decompiler, which looks promising.

Didier Stevens' PDF Tools are excellent for dealing with PDFs that you suspect are malicious. It's important that I point out these tools don't tell you whether the file contains something malicious. They are analysis tools to help you make that determination. To help you better understand what they can do for you, take a look at the recent analysis write-ups at the Internet Storm Center here and here.

As you can see from the ISC examples, analyzing files looking for maliciousness is not an easy task. The tools are available if you're up to the challenge, and with the current PDF-based attacks, there are plenty of samples to analyze.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.