Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads

Malicious PDF document files and malicious executables packaged as anti-virus have become a popular malware-carrying medium. As this paper neared completion, a well-crafted and rather advanced malicious PDF document exploiting CVE-2009-4324 with a multi-staged shellcode was circulating while at the same time, increasingly end users are tricked into installing and scanning their computers with fake anti-virus software. This paper presents both behavioral and code analysis over a blended threat with PDF and fake anti-virus software payloads, simply starting from a click of a URL. It describes a controlled test environment set up for malware analysis, required tools, methodology and findings. In the section of binary analysis over fake anti-virus software payload, unpacking techniques and code reverse engineering will be demonstrated and uncover some hidden artifacts. For the malicious PDF analysis, a progressive unpeeling of protection approach will be carried out via deobfuscation.To conclude, PDF malware and fake anti-virus software enhance the chance of success via stealthy code execution and social engineering tricks. We discuss challenges and solutions to deal with fake anti-virus software and PDF malware from file integrity check, operating system and software security configuration perspectives.