AV Bypass for Malicious PDFs Using XDP
http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp
More here: http://www.h-online.com/security/news/item/Encoding-malicious-PDFs-avoids-detection-1620310.html
and: http://shiftordie.de/blog/2011/02/09/evading-avs-using-the-xml-data-package-xdp-format/
Hi Asyn,
Do you know if urlQuery IDS flags this?
Apparently they have not implemeted that Snort rule yet, see http://urlquery.net/report.php?id=70593
I have sent feedback about this issue to contact AT urlquery dot net
polonus
Pol, nothing to analyse here. This was meant for the guys at the virus lab and for general information.
Hi Asyn,
No I meant the custom rule for IDS EmergingThreats to alert this XDF encoded PDF file transfer:
///////
alert tcp $EXTERNAL_NET any → $HOME_NET any (msg:“XDF encoded PDF file transfer.”; flow:established, to_client;content:“<xdp:xdp xmlns:xdp=”;nocase;fast_pattern; content:“<pdf xmlns=”; nocase; content:“JVBERi0”;nocase; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:100045;rev:1;)
/////// rule provided by Abhijeet Hatekar
Apparently this has not been included to the custom ruleset, as that is the only version urlquery.net uses, as I was informed by them,
so I hope the alert for this will soon be incorporated,
polonus
I see. Thanks pol. 