01.11
Recently we have seen an increase of malware attacks targeting multimedia formats. One of the formats targeted recently was PDF, a popular document format. Latest and still un-patched exploit targeting this format CVE-2009-4324 is particularly dangerous because it allows download of malicious content and its execution on the affected system or if it is unsuccessful denial of service attack. Statical analysis of the exploit showed how it operates and it described to bug inside out but we couldn't helped but wonder... Could we have prevented such an attack on the live system? Can we prevent future attacks that work similarly?
Having those questions in mind and the phrase "Swiss army knife for reverse engineering" used to describe our TitanEngine we decided to create a small project that could help us prevent these attacks. That project is called TitanGuard and it is a simple sandbox built around TitanEngine that prevents download of malicious content and its execution. Once installed this program monitors the application actions and queries user for response on suspicious behavior. This way CVE-2009-4324 and all future attacks targeting PDF file format and its most popular viewer can be prevented. Furthermore this kind of tool enables safe run-time analysis regardless of the exploit used since we can always block the file execution and study downloaded files. Until next time...
