PDF as XDP Antivirus Bypass

About a week ago, Brandon Dixon blogged about malicious PDF sample in the wild that was a PDF in a XDP file. XDP is an XML Data Package. What he found was antivirus and IPS scanners weren’t looking inside the XDP file to see the malicious code in the contained PDF. For the lay person, this is roughly analogous to not scanning for malware inside a zip file.

Don’t Panic

Graham Cluley over at Sophos says “don’t panic” (and carry a towel).That’s generally good advice. Although, I’m not sure who was panicking. A search of the RSS feeds I follow show no one talking about this. Perhaps all the panicking now occurs on Twitter. At any rate, he point is that when the user gets the malicious file and opens the XDP which opens the PDF, the desktop antivirus will detect the PDF.

People buy antivirus gateways (particularly web and email) for a reason. They want to stop the malware before it gets to the desktop. They want to run different malware scanners (venders) at the gateway for better defense. They want to run scans that can take a bit longer than you can get away with on a desktop (sandbox, VMs etc). On each individual desktop the AV could be disabled or out of date.

So there are many reasons for running an anti-malware gateway. So this attack basically bypassing that protection layer is nothing to sneeze at.  Graham reports Sophos has updated their gateways so this type of attack wont slip through.    If you’re an admin, you should check if your vender is on top of this as well.