Thursday, August 26, 2010

Gallus, yet another PDF analyzer (alpha)

Introducing Gallus

Gallus is a web-based malware detection service specifically to extract and analyze suspected malicious PDF documents. It is a free service designed to help security researchers and public to detect exploits and extract other useful information contained in PDF documents.

How Gallus Works

Gallus is designed to extract and analyze the malicious components resides inside PDF documents. If the component exist, it will gone through a series of analysis to collect further malicious element that might exist.

Extracting and Parsing

Usually, a malicious PDF document uses JavaScript code to trigger the vulnerability(s) and to execute the payload. By detecting and parsing the embedded JavaScript code, we are able to determine the maliciousness of the PDF document.

Analysis

After the detected code is parsed, a series of analyses will be conducted to obtain the shellcode used for payload and also the vulnerability(s) that’ll be exploited. Most of the malicious PDF document will use obfuscation techniques to bypass the analysis process. To encounter such techniques, Gallus uses Spidermonkey to interpret the obfuscated code plus other deobfuscation modules.

Exploit

From the malicious JavaScript code, we can determine the vulnerability(s) used. To name some of the exploit that usually used inside malicious PDF documents are:

(CVE-2007-5659) collab.CollectEmailInfo
(CVE-2008-2992) util.printf
(CVE-2009-0927) collab.getIcon
(CVE-2009-4324) media.newPlayer

Shellcode

Gallus is able to detect and extract shellcode inside malicious PDF document. From the shellcode obtained, we are able to determine the behaviour of the shellcode by using shellcode analyzer. In a usual cases, we might also found potential malware URL used in URLDownloadToFile payload.

Status

Gallus categorize the submitted PDF document into Malicious, Suspicious, and Benign. Malicious status indicates the exploit and shellcode are detected inside PDF document. Suspicious status indicates the JavaScript code inside the document contains doubtful instructions. Benign status indicates the PDF document does not contains any exploit, shellcode, or doubtful code.

Using Gallus

Gallus allows sample submission via two methods, file submission and URL submission. Upon submitting your file, Gallus will extract and run various analyses to identify the content of the file.

To give it a try, click here.