SlideShare a Scribd company logo

José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files [RootedCON 2011]

RootedCON
RootedCON
Technology
1 of 63
Download to read offline
Obfuscation and (non-)detection of malicious PDF files Jose Miguel Esparza
Agenda • Introduction to the PDF format • Obfuscation and evasion techniques • Obfuscation vs. Antivirus • Obfuscation vs. Analysis tools • peepdf • Conclusions
Header Body Cross reference table Trailer
Introduction to the PDF format • Sequence of objects • Object types – Boolean: true false – Numbers: 123 -98 4. -.002 123.6 – Strings: (hola) <686f6c61> – Names: /Type /Filters – Dictionaries: <</Type /Catalog /Root 1 0 R>> – Arrays: [1.0 (test) <</Length 273>>] – Streams
Introduction to the PDF format
Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
Introduction to the PDF format • Updatable documents – Older versions stay in the document Header Body Cross reference table Original Trailer Body Cross reference table Update Trailer
Introduction to the PDF format • Logical structure – Tree structure – Root node: /Catalog – If an element isn’t in the downward path from the /Catalog DOES NOT EXIST
Introduction to the PDF format
Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
Introduction to the PDF format
Introduction to the PDF format
Introduction to the PDF format
Introduction to the PDF format
Obfuscation and evasion techniques • Practical example – pdf.pdf (2009)
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Automatic execution – Avoid /OpenAction – Use of /Catalog elements • /Names • /AcroForm – /AA: applied to pages, annotations…
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Strings to avoid/hide – /Javascript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ]
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154
Obfuscation and evasion techniques • Strings/names encoding – Names • Hexadecimal codification NO! /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Hiding Javascript code – Functions to obtain parts of the document • getAnnots() • getPageNumWords()/getPageNthWord() •… • Splitting up Javascript code – Several objects in /Names /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R]
Obfuscation and evasion techniques • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques • Mixing techniques • Summary: – Remove characteristic strings – Split up Javascript code (/Names) – If the code is in: • String octal encoding (143172) • Stream filters (not usuals, parameters) – Compress (object streams) – Encrypt (default password) – Malform (endobj, header) – Nest PDFs
Obfuscation and evasion techniques
Obfuscation vs. Antivirus • Better results – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (0/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739 – filters with parameters + malformed (0/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (2/43) http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405 • encrypted (5/43) http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113 • Exploit working
Obfuscation vs. Antivirus Antivirus Puntos débiles AntiVir JS in string, without JS strings Avast Embedded, no endobj, Flate params AVG Embedded, Flate params, characteristic strings, without JS strings BitDefender Characteristic strings, octal strings ClamAV Flate params, octal strings, bytes header DrWeb Characteristic strings, octal strings F-Secure Splitted up JS code, octal strings, bytes header, object streams Fortinet Flate params, splitted up JS code, bytes header, metadata GData No endobj, Flate params Kaspersky Flate params, characteristic strings, splitted up JS code, object streams McAfee Execution with /Names, embedded, characteristic strings, hexadecimal names, octal strings, without JS strings
Obfuscation vs. Antivirus Antivirus Puntos débiles McAfee-GW Flate params, characteristic strings, octal strings Microsoft Splitted up JS code, octal strings, bytes header, object streams NOD32 Embedded, characteristic strings, bad header (%PDF-1.0) Panda JS in string, without JS strings Prevx No detection Sophos Without JS strings, object stream + malformed endobj, encrypted Symantec Original detection as Downloader, JS in string, without JS strings TrendMicro No detection VBA32 Characteristic strings VirusBuster No detection
Obfuscation vs. Analysis tools Herramientas Comentarios Wepawet No encryption support PDFDissector Comercial, not tested PDFStreamDumper Windows, errors with encryption, FlateDecode parameters pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Framework, not tested, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Does not analyse Javascript code and does not look for exploits in object streams and encrypted objects malpdfobj Based on PDFTools (Didier Stevens)
Obfuscation vs. Analysis tools
peepdf • Characteristics – Python – Command line – Interactive console – Command file option – Last developing phase http://peepdf.eternal-todo.com
peepdf http://peepdf.eternal-todo.com
peepdf • Analysis – Decoding: hexadecimal, octal, names – Most used filters (5) – References in objects and to objects – Strings search (including streams) – Physical structure (offsets) – Tree structure (logical) – Metadata – Changes between versions (changelog) – Compressed objects – Malformed documents support – Javascript analysis and modification (Spidermonkey) • unescape, replace, join – Shellcode analysis (sctest, Libemu) – Variables to improve analysis (set command) – Extraction of different versions
peepdf • Creation/Modification – Basic PDF creation – Creation of PDF with Javascript execution – Object compression (object streams) – Nested PDFs creation – Malformed PDFs – Strings and names codification – Filters modification – Object modification
peepdf • TODO – Encryption – Nested PDFs analysis – Missing filters – Improve automatic Javascript analysis – GUI
Conclusions • Very low detection when: – Nested PDFs – Compressed objects – New filters or filters with parameters – Encryption • Avoid detection by strings • Improve parsers
Thanks • People working with PDF stuff: – Julia Wolf – Didier Stevens – Felipe Manzano (feliam) – Origami team – Brandon Dixon –…
???
Thanks!! Jose Miguel Esparza jesparza eternal-todo.com jesparza s21sec.com http://eternal-todo.com @eternaltodo

Recommended

Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...RootedCON
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MFRicardo L0gan
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Bishop Fox
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdfTECHNOLOGY CONTROL CO.
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
 

Recommended

Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...RootedCON
 
H2HC - R3MF
H2HC - R3MFH2HC - R3MF
H2HC - R3MFRicardo L0gan
 
1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacks1300 david oswald id and ip theft with side-channel attacks
1300 david oswald id and ip theft with side-channel attacksPositive Hack Days
 
Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Check Your Privilege (Escalation)
Check Your Privilege (Escalation) Bishop Fox
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdfTECHNOLOGY CONTROL CO.
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Ange Albertini
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and AdministrationKrasimir Berov (Красимир Беров)
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavthc2cat
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1UTD Computer Security Group
 
Perl Programming - 01 Basic Perl
Perl Programming - 01 Basic PerlPerl Programming - 01 Basic Perl
Perl Programming - 01 Basic PerlDanairat Thanabodithammachari
 
Network programming
Network programmingNetwork programming
Network programmingKrasimir Berov (Красимир Беров)
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testersChristian Martorella
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Debugging linux
Debugging linuxDebugging linux
Debugging linuxAndrea Righi
 
Pycon Sec
Pycon SecPycon Sec
Pycon Secguesta762e4
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introductionsatyajit_t
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSDwebuploader
 
Footprinting tools for security auditors
Footprinting tools for security auditorsFootprinting tools for security auditors
Footprinting tools for security auditorsJose Manuel Ortega Candel
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingZendCon
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
Open source malware analysis
Open source malware analysisOpen source malware analysis
Open source malware analysisS21Sec
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 

More Related Content

What's hot

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavthc2cat
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introductionsatyajit_t
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSDwebuploader
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingZendCon
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 

What's hot (20)

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and Administration
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamav
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Perl Programming - 01 Basic Perl
Perl Programming - 01 Basic PerlPerl Programming - 01 Basic Perl
Perl Programming - 01 Basic Perl
 
Network programming
Network programmingNetwork programming
Network programming
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Debugging linux
Debugging linuxDebugging linux
Debugging linux
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introduction
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSD
 
Footprinting tools for security auditors
Footprinting tools for security auditorsFootprinting tools for security auditors
Footprinting tools for security auditors
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at Ning
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 

Viewers also liked

Open source malware analysis
Open source malware analysisOpen source malware analysis
Open source malware analysisS21Sec
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
Seguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenSeguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenBBVAtech
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = FunDavid Barroso
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineSource Conference
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...RootedCON
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Informe sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaInforme sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaIAB Spain
 

Viewers also liked (11)

Open source malware analysis
Open source malware analysisOpen source malware analysis
Open source malware analysis
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
Seguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenSeguridad Lógica y Cibercrimen
Seguridad Lógica y Cibercrimen
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = Fun
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud Evolution
 
Informe sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaInforme sobre Redes Sociales en España
Informe sobre Redes Sociales en España
 

Similar to José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files [RootedCON 2011]

PDF in Smalltalk
PDF in SmalltalkPDF in Smalltalk
PDF in SmalltalkESUG
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nlbartzon
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nltieleman
 
Strata NY 2017 Parquet Arrow roadmap
Strata NY 2017 Parquet Arrow roadmapStrata NY 2017 Parquet Arrow roadmap
Strata NY 2017 Parquet Arrow roadmapJulien Le Dem
 
#Pharo Days 2016 Data Formats and Protocols
#Pharo Days 2016 Data Formats and Protocols#Pharo Days 2016 Data Formats and Protocols
#Pharo Days 2016 Data Formats and ProtocolsPhilippe Back
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Advanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojoAdvanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojoFu Cheng
 
How to use Parquet as a basis for ETL and analytics
How to use Parquet as a basis for ETL and analyticsHow to use Parquet as a basis for ETL and analytics
How to use Parquet as a basis for ETL and analyticsJulien Le Dem
 
Strong typing @ php leeds
Strong typing @ php leedsStrong typing @ php leeds
Strong typing @ php leedsDamien Seguy
 
Python & Django TTT
Python & Django TTTPython & Django TTT
Python & Django TTTkevinvw
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationDamien Seguy
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildwebLeo Zhou
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolAnkur Tyagi
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
NSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - EnglishNSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - EnglishFlorent Pillet
 

Similar to José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files [RootedCON 2011] (20)

PDF in Smalltalk
PDF in SmalltalkPDF in Smalltalk
PDF in Smalltalk
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
 
Strata NY 2017 Parquet Arrow roadmap
Strata NY 2017 Parquet Arrow roadmapStrata NY 2017 Parquet Arrow roadmap
Strata NY 2017 Parquet Arrow roadmap
 
#Pharo Days 2016 Data Formats and Protocols
#Pharo Days 2016 Data Formats and Protocols#Pharo Days 2016 Data Formats and Protocols
#Pharo Days 2016 Data Formats and Protocols
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Advanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojoAdvanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojo
 
How to use Parquet as a basis for ETL and analytics
How to use Parquet as a basis for ETL and analyticsHow to use Parquet as a basis for ETL and analytics
How to use Parquet as a basis for ETL and analytics
 
Strong typing @ php leeds
Strong typing @ php leedsStrong typing @ php leeds
Strong typing @ php leeds
 
Python & Django TTT
Python & Django TTTPython & Django TTT
Python & Django TTT
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection Tool
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Drill at the Chicago Hug
Drill at the Chicago HugDrill at the Chicago Hug
Drill at the Chicago Hug
 
NSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - EnglishNSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - English
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files [RootedCON 2011]

  • 1. Obfuscation and (non-)detection of malicious PDF files Jose Miguel Esparza
  • 2. Agenda • Introduction to the PDF format • Obfuscation and evasion techniques • Obfuscation vs. Antivirus • Obfuscation vs. Analysis tools • peepdf • Conclusions
  • 3. Header Body Cross reference table Trailer
  • 4. Introduction to the PDF format • Sequence of objects • Object types – Boolean: true false – Numbers: 123 -98 4. -.002 123.6 – Strings: (hola) <686f6c61> – Names: /Type /Filters – Dictionaries: <</Type /Catalog /Root 1 0 R>> – Arrays: [1.0 (test) <</Length 273>>] – Streams
  • 5. Introduction to the PDF format
  • 6. Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
  • 7. Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
  • 8. Introduction to the PDF format • Updatable documents – Older versions stay in the document Header Body Cross reference table Original Trailer Body Cross reference table Update Trailer
  • 9. Introduction to the PDF format • Logical structure – Tree structure – Root node: /Catalog – If an element isn’t in the downward path from the /Catalog DOES NOT EXIST
  • 10. Introduction to the PDF format
  • 11. Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
  • 12. Introduction to the PDF format
  • 13. Introduction to the PDF format
  • 14. Introduction to the PDF format
  • 15. Introduction to the PDF format
  • 16. Obfuscation and evasion techniques • Practical example – pdf.pdf (2009)
  • 20. Obfuscation and evasion techniques • Automatic execution – Avoid /OpenAction – Use of /Catalog elements • /Names • /AcroForm – /AA: applied to pages, annotations…
  • 23. Obfuscation and evasion techniques • Strings to avoid/hide – /Javascript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
  • 26. Obfuscation and evasion techniques • Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ]
  • 28. Obfuscation and evasion techniques • Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154
  • 29. Obfuscation and evasion techniques • Strings/names encoding – Names • Hexadecimal codification NO! /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154
  • 34. Obfuscation and evasion techniques • Hiding Javascript code – Functions to obtain parts of the document • getAnnots() • getPageNumWords()/getPageNthWord() •… • Splitting up Javascript code – Several objects in /Names /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R]
  • 35. Obfuscation and evasion techniques • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream
  • 38. Obfuscation and evasion techniques • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream
  • 41. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 44. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 46. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 48. Obfuscation and evasion techniques • Mixing techniques • Summary: – Remove characteristic strings – Split up Javascript code (/Names) – If the code is in: • String octal encoding (143172) • Stream filters (not usuals, parameters) – Compress (object streams) – Encrypt (default password) – Malform (endobj, header) – Nest PDFs
  • 50. Obfuscation vs. Antivirus • Better results – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (0/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739 – filters with parameters + malformed (0/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (2/43) http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405 • encrypted (5/43) http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113 • Exploit working
  • 51. Obfuscation vs. Antivirus Antivirus Puntos débiles AntiVir JS in string, without JS strings Avast Embedded, no endobj, Flate params AVG Embedded, Flate params, characteristic strings, without JS strings BitDefender Characteristic strings, octal strings ClamAV Flate params, octal strings, bytes header DrWeb Characteristic strings, octal strings F-Secure Splitted up JS code, octal strings, bytes header, object streams Fortinet Flate params, splitted up JS code, bytes header, metadata GData No endobj, Flate params Kaspersky Flate params, characteristic strings, splitted up JS code, object streams McAfee Execution with /Names, embedded, characteristic strings, hexadecimal names, octal strings, without JS strings
  • 52. Obfuscation vs. Antivirus Antivirus Puntos débiles McAfee-GW Flate params, characteristic strings, octal strings Microsoft Splitted up JS code, octal strings, bytes header, object streams NOD32 Embedded, characteristic strings, bad header (%PDF-1.0) Panda JS in string, without JS strings Prevx No detection Sophos Without JS strings, object stream + malformed endobj, encrypted Symantec Original detection as Downloader, JS in string, without JS strings TrendMicro No detection VBA32 Characteristic strings VirusBuster No detection
  • 53. Obfuscation vs. Analysis tools Herramientas Comentarios Wepawet No encryption support PDFDissector Comercial, not tested PDFStreamDumper Windows, errors with encryption, FlateDecode parameters pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Framework, not tested, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Does not analyse Javascript code and does not look for exploits in object streams and encrypted objects malpdfobj Based on PDFTools (Didier Stevens)
  • 55. peepdf • Characteristics – Python – Command line – Interactive console – Command file option – Last developing phase http://peepdf.eternal-todo.com
  • 57. peepdf • Analysis – Decoding: hexadecimal, octal, names – Most used filters (5) – References in objects and to objects – Strings search (including streams) – Physical structure (offsets) – Tree structure (logical) – Metadata – Changes between versions (changelog) – Compressed objects – Malformed documents support – Javascript analysis and modification (Spidermonkey) • unescape, replace, join – Shellcode analysis (sctest, Libemu) – Variables to improve analysis (set command) – Extraction of different versions
  • 58. peepdf • Creation/Modification – Basic PDF creation – Creation of PDF with Javascript execution – Object compression (object streams) – Nested PDFs creation – Malformed PDFs – Strings and names codification – Filters modification – Object modification
  • 59. peepdf • TODO – Encryption – Nested PDFs analysis – Missing filters – Improve automatic Javascript analysis – GUI
  • 60. Conclusions • Very low detection when: – Nested PDFs – Compressed objects – New filters or filters with parameters – Encryption • Avoid detection by strings • Improve parsers
  • 61. Thanks • People working with PDF stuff: – Julia Wolf – Didier Stevens – Felipe Manzano (feliam) – Origami team – Brandon Dixon –…
  • 62. ???
  • 63. Thanks!! Jose Miguel Esparza jesparza eternal-todo.com jesparza s21sec.com http://eternal-todo.com @eternaltodo