The heuristics can be bypassed by a special formated PDF "container", this leads to the bypass of malicious PDF files, old or new. This is not a bypass that relies on archive structures but relies on evading certain code paths in the av engine "through various means".
Vulnerable Systems:
* Kaspersky Internet Security
* Kaspersky Anti-Virus
* Kaspersky Mobile Security
* Kaspersky Small Office Security
* Kaspersky Open Space Security
* Kaspersky Business Space Security
* Kaspersky Work Space Security
* Kaspersky Enterprise Space Security
* Kaspersky Targeted Security
* Kaspersky Anti-Virus for Microsoft ISA Server
* Kaspersky Anti-Virus for Proxy Server
* Kaspersky Anti-Virus for Check Point Firewall-1
* Kaspersky Anti-Virus for Windows Server
* Kaspersky Anti-Virus for Windows Server Enterprise Edition
* Kaspersky Anti-Virus for Novell NetWare
* Kaspersky Anti-Virus for Linux File Server
* Kaspersky Anti-Virus for Samba Server
* Kaspersky Security for Microsoft Exchange 2007
* Kaspersky Security for Microsoft Exchange 2003
* Kaspersky Anti-Virus for Lotus Notes/Domino
* Kaspersky Anti-Virus for Windows Workstation
* Kaspersky Anti-Virus for Linux Workstation
* Kaspersky Anti-Virus for Linux Mail Server
* Kaspersky Mail Gateway
* Kaspersky Anti-virus for MIMEsweeper
The PDF files are not parsed correctly, a PDF file starts with the magic byte "%PDF" and ends with the magic byte "%%EOF", everything in between those markers is parsed and interpreted. Furthermore PDF files are read from the bottom to the top.
Adobe Acrobat nor the FoxitReader care too much about the data that comes prior the magic byte, the kaspersky engine does, not only does it care, it fails to detect the malware inside the PDF file.
A PDF file is bascialy a container that starts with %PDF and ends with %%EOF.
What follows are the details of this evasion, note this one is generic and the easiest one, there are plenty more.
Example of a malicious PDF file:
%PDF
Malicious content here
%%EOF
Doing :
Enter stuff here, like random text.
%PDF
Malicious content here
%%EOF
This has the result that the malware is no longer being detected.
Note: Not a single byte of the malware itself been altered, and strictly speaking the content that represent a PDF file hasn't been changed at all.
This has been tested with several malicious PDF files and represents a generic evasion of all PDF signatures and heuristics.
Kaspersky was given the PoC file directly through myself and F-Secure, they went ahead an patched this by adding a signature for the POC file, adding a PE header in front of a PDF file (with a PDF extension) still evades detection and the exploit still triggers when opening the file with Adobe. Thus the patch is flawed by design.
Disclosure Timeline:
15/05/2009 : Send proof of concept, description the terms under whichI cooperate and the planned disclosure date. no reply
xx/05/2009 : F-Secure sends the same sample to Karspersky
01/06/2009 : Re-sending the proof of concept, description the terms under which I cooperate and the planned disclosure date. no reply
03/06/2009 : F-Secure informs me that the sample was submitted to Kaspersky
03/06/2009 : Informed F-secure to communicate with Kaspersky and please ask them to reply to my notifications.
03/06/2009 : Kaspersky Moscow visits my blog, searches for "AVP" and "Kaspersky".
04/06/2009 : Discovered that the POC file is now detected by the latest Kaspersky update.
04/06/2009 : Discovered that adding a few bytes evades the engine again.
09/06/2009 : Release of this advisory on the blog, tweet. Hoping for any reaction prior to sending it to bugtraq
13/06/2009 : Release to Bugtraq et al.
