This document discusses hiding malicious content in PDF documents by embedding a legitimate PDF document and a malicious TIFF image file together, then digitally signing the combined file. The signature would still be valid after changing the file extension, since the actual file contents were not altered by adding the hidden TIFF image before signing. This technique could be used to trick a victim into unknowingly signing a document containing hidden malicious content. Tools like Photoshop, Hex Workshop and ImageMagick are used to generate the files and embed the content for the proof-of-concept attack.

1. Hiding Malicious Content in PDF Documents Sabin Popescu, InfoSec, MTA, RO Coordinating Professor: Lect. Dr. Mihai Togan • Contact: sabin.popescu@yahoo.com • http://www.mta.ro

2. Outline Objectives: Proof-of-concept for digital signatures vulnerability… that shows the ineffectiveness of the WYSIWYS (What You See Is What You Sign) concept. In other words: Make your victim sign a malicious document, by hiding it in a legitimate document.

3. Outline Objectives: Proof-of-concept for digital signatures vulnerability… that shows the ineffectiveness of the WYSIWYS (What You See Is What You Sign) concept. In other words: Make your victim sign a malicious document, by hiding it in a legitimate document. Methodology: Generate 2 different types of content: Text > PDF (legit); Image > TIFF (malicious); Embed the PDF document inside the TIFF image; Give the victim the “PDF” (actually a polymorphic file) and obtain the signature; Change the extension to the other file format.

5. The destructive potential is considerable, as PDF is widely used in e-government and e-business contexts.

7. Difficulties > TIFF Structure: Recalculating the offsets of the TIFF image parameters that got shifted upon inserting the PDF document. TIFFs are organized in Image File Directories (IFD) which contain 12 byte sequences that define parameters like resolution, dimensions, compression etc.

8. Demo

9. Detecting the attack