Report: PDF Files and Flash Ads Can Contain Malicious Code

Research indicates that pretty animations and downloaded documents can contain damaging code that infects personal computers.

by / October 14, 2008

Flash and PDF files on the Internet can contain hidden malicious code that's so sophisticated that most antivirus software won't detect the attacks even after they infiltrate vulnerable computers, according to a report released by the company Finjan, a provider of Web gateway and content-inspection solutions.

On Sept. 23, 2008, Finjan released its Malicious Page of the Month report detailing how malevolent hackers use Web 2.0 technologies to infest operating systems with the latest malware. The report's data, compiled by the company's Malicious Code Research Center, tracks the evolution of "obfuscated code," or code that is encrypted so well by its authors that it's difficult to recognize. This code can be built into Flash and PDF files by people with bad intentions.

"This vulnerability will enable them to gain access to our local disk so they can install their Trojan horse or keylogger software," said Yuval Ben-Itzhak, Finjan's chief technology officer. This gives them the opportunity to slip in undetected and wreak havoc.

The report divulges the following details of this trend:

o In 2008, obfuscated code was embedded in rich-content files, such as Flash-constructed ads on Web pages or the ever-popular PDFs that millions of Internet users download regularly. Some hapless Web surfers are unwittingly compromising their computers merely by visiting sites with code-infested Flash ads on them or by downloading seemingly harmless PDFs containing the same type of code.

o In 2007, obfuscation techniques mimicked legitimate encryption-decryption processes. In this method, a malicious hacker sends a "key" to users that seems legitimate. After a user obtains and activates the key, it unlocks malicious code that goes to work on the user's machine.

o In 2006, malicious hackers wrote harmful code into programs that are activated once users input passwords or other forms of typed input.

o In 2005, obfuscated code attacks consisted of two formats: scrambling code to make it more complicated, and character-based encoding to use it in any format a browser can interpret.

Finjan's Malicious Code Research Center regularly tracks Web security threats and publishes the latest threats and recent trends and reports on its Web site. Obfuscated code is one of the most pernicious threats.

"We've been monitoring the obfuscation methods, and we've realized that these criminals are improving the obfuscation techniques or the obfuscation algorithms that they're using and trying to make them more and more complex, and the security vendors are trying to catch up" said Ben-Itzhak. "In security, it's always a kind of game between the good guys and the bad guys. One is running after the other, so what we highlighted in the report are the changes in the last three years, or almost four years now, in these types of techniques."

The Finjan report says that real-time content inspection technology can detect and block obfuscated code attacks by analyzing Web content regardless of the URL, context or appearance.

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.