Aerosol Posted March 4, 2015 Report Posted March 4, 2015 Greyscale pics are a great place to hide malcodeHackers can duck antivirus programs and execute malware in Adobe Reader by using greyscale images, says Danish security boffin Dénes Óvári.Lossy compression is thought to be susceptible to the DCTDecode filter, which should nuke malware woven into images and blunt this form of attack.However new intelligence published in the paper Script in a Lossy Stream (PDF) shows bad guys and penetration testers can use the filter within PDF documents to hide malcode using JPEG images that are set to greyscale to avoid distortion.This process gives antivirus and human malware analysts the slip as they generally assume any malcode hiding in the JPEG filter will be compressed and scrambled.“Following the introduction of a sandbox for JavaScript code in Acrobat Reader, the use of PDF as an attack vector decreased dramatically,” Óvári says.“Although this is not a security breach in itself, the fact that the usage of DCTDecode for this purpose has seemingly been ruled out by the industry means that even known threats could be hidden in this way from anti-virus scanners or researchers.“In order to provide users with maximum protection, the DCTDecode stream must no longer be overlooked: in PDF reader implementations, the referencing of uncompressed image data as parameters from objects expecting binary data should be prohibited.”Óvári says attacks still require exploits to be used inside the DCTDecode stream, reducing the overall threat presented by the research.He created a proof of concept attack in which he says a script was encoded as a high-quality greyscale JPEG image, placed in an image object filtered with DCTDecode, and then referenced by a JavaScript action entry.“When opening the document, the alert dialog just pops up under the old Reader 9, proving that the code of the short script was decompressed losslessly,” he says.The attack still works under the latest version of Reader with some small modification.Óvári says other file formats that assume data within JPEGs uses lossy compression while a greyscale mode is available should be re-evaluated. Source Quote