How to really obfuscate your malware PDF files

Presented at REcon 2010, July 9, 2010, 2 p.m. (60 minutes)

During my work as a PDF malware analyst I have seen lots and lots of PDF files that try to use code obfuscation techniques to make analysis harder. Most malware authors completely botch obfuscation though. In this talk I will walk the audience through examples of botched code obfuscation techniques, what went wrong, and how to fix the failed obfuscation attempts. Along the way I will give a general introduction to the PDF format, which I expect to be a major exploit vector of 2010.

Presenters:

• Sebastian Porst
  After finishing his Masters degree in Computer Science in 2007, Sebastian joined zynamics GmbH as lead developer of the reverse engineering IDE BinNavi, the collaborative RE information sharing tool BinCrowd, and the malware PDF analysis tool PDF Inspector. Among other things, he is responsible for developing and implementing new static code analysis algorithms for both vulnerability development and malware analysis. Sebastian has been a speaker at various IT security conferences including CanSecWest, SOURCE Barcelona, Hack in the Box, and hack.lu.

Links:

• https://recon.cx/2010/speakers.html#pdf
• https://recon.cx/2010/slides/recon_2010_sebastian_porst.pdf

Similar Presentations:

• ToorCon San Diego 20 (2018) / Following a Trail of Confusion: Identifying and Defeating Modern Malware Code Obfuscation
• Black Hat Europe 2020 Virtual / Portable Data exFiltration: XSS for PDFs
• DEF CON 19 (2011) / Sneaky PDF