Invincea Document Protection: Preventing PDF exploits

Exploiting Adobe PDF files is currently the method of choice for installing malware on a computer. Michael Kassner reports on a new countermeasure that opens PDFs in a separate virtual environment.

According to Kaspersky Lab's Information Security Threats in the First Quarter of 2010 Report, exploiting Adobe applications accounted for almost half of all reported security threats. Furthermore, Symantec's Internet Security Threat Report released in April 2010 declared Adobe infections to be the number one Internet-based infection vector in 2009.

In a press release today, Invincea, Inc. announced that they have a solution. If that name sounds familiar, it might be due to my article, "Invincea Browser Protection: Using the power of virtualization to combat malware."

Dr. Ghosh and the Invincea team determined the same virtual environments used to keep computers safe from malicious web-browser downloads can also protect computers from PDF documents embedded with malware. With that in mind, the team developed Document Protection.

Since the application is new, I had few details of how Document Protection worked. So, I contacted Dr. Ghosh to have him explain:

TechRepublic: With the problems facing Adobe, your wanting to develop Document Protection is understandable. Could you give us an overview of the add-on? Invincea: Attackers use PDF files as their primary method to spread malware. The PDF format is easy to understand. It also supports scripting and commands that can be leveraged to create effective attacks. Our research has shown full virtualization of Adobe applications and Internet browsers is necessary to defend against the sophisticated threats hitting users today.

Document Protection does just that. It is an expansion of Browser Protection focused on protecting users against malware embedded in PDF files. By coupling the two, we have a solution that effectively eliminates a majority of malware threats.

TechRepublic: Adobe just released Protected Mode for Adobe Reader. How is Document Protection similar? How is Document Protection different? Invincea: Adobe's Reader X with Protected Mode will help against certain conventional attacks against the PDF rendering engine. But, that is not enough. Attacks that exploit the rendering engine will remain resident in memory and perform the following activities:
  • Read and ex-filtrate data from the system registry and/or user's file system.
  • Attack other machines and devices on the network.
  • Use Reader as a stepping stone to execute other exploits against the host system including attacks against kernel services.

The exposures left by Adobe's Protected Mode are significant. They can only be addressed by providing a comprehensive sandbox that protects all Adobe Reader components, shared libraries it uses, the kernel, and ultimately the network.

TechRepublic: Browser Protection puts the web browser in a locked-down environment. Does Document Protection work the same way? Invincea: Absolutely. Browser Protection provides protection against exploits targeting the browser by moving the browser into a secure virtualized environment.

With Document Protection, we've extended the same approach to Adobe Reader. Whenever a user opens a PDF file, the document is moved from the native operating system into a separate virtual environment where the document is opened in Adobe Reader.

TechRepublic: How does Document Protection "know" that malicious behavior has been initiated? Invincea: Detection is driven by a combination of behavioral-based malware detection in combination with strict control of the virtualized operating system. Since we design and control the virtual environment, we know exactly how it is supposed to function and can detect any abnormalities in real time.

For example, PDF exploits we frequently detect are buffer overflows directed at Adobe Reader. In many cases, the purpose of the attack is to provide remote-login services for the cyber adversary. This behavior pattern is abnormal for Adobe. We know that and take the appropriate action.

TechRepublic: For those not familiar with Browser Protection, what will Document Protection do if and when it senses abnormal behavior? Invincea: If any malicious behavior is detected; including installing software, Document Protection automatically stops the session, captures forensic data including the signature of the malicious software, removes the tainted environment, and restores the virtual environment to a known good state. TechRepublic: The product sheet mentions that PDF documents can be saved to a protected download directory. Could you explain what that is and how it works? Invincea: The directory is part of Browser Protection. Specifically, where downloaded documents are stored and opened safely. For example, when a PDF file is chosen by the user, Document Protection copies the document to the directory's virtual environment for display. This all occurs automatically, without user intervention. TechRepublic: In my article about Browser Protection, several members mentioned that sandbox applications do the same thing. How would you respond to that? Invincea: Sandbox applications use reduced-privilege level as the primary protection mechanism. Meaning programs like Adobe Reader could not be used to install software. There is a problem with that approach. Malicious code executing within Adobe can read files from the Desktop or My Documents folder and ship them offsite.

In Document Protection, Adobe Reader is run in a fully virtualized environment that isolates the application from the desktop. While including the full set of system libraries the application needs within the virtual machine. Therefore, any exploit that occurs within Adobe or through Adobe to the operating system will stay confined within the virtual machine.

Finally, we've paid attention to usability. The user is not asked to make any security decisions like you find in sandboxing applications. Using Document Protection is no different from using Adobe Reader natively.

TechRepublic: I noticed some printing problems when using other sand-box applications. How does Document Protection avoid those? Invincea: Invincea has solved the problem of being able to print from a fully virtualized environment to the user's designated printer. No additional set-up or steps on the user's part are required. Printing works just as you expect it should. We don't call attention to this because it should just work and in our case it does. TechRepublic: Does Document Protection work with other PDF readers? Invincea: Document Protection opens PDF files in Adobe Reader. We are not supporting other PDF readers at this time. TechRepublic: I checked the Invincea web site and did not see how to obtain either Browser Protection or Document Protection. When will they be available to the general public? Do you have pricing information? Invincea: Both products are generally available. Interested parties should contact for more information, including pricing structures. Alternatively, we can be reached by calling 703.352. 7680

Final thoughts

With malware morphing daily, using virtual environments to isolate individual applications is a good idea. Having Document Protection work in the background and remove any decision-making from the user is also a good idea. Hopefully, apps like Document Protection will eliminate PDF malware as the number-one threat.

Thanks to Dr. Ghosh for taking the time to explain how Document Protection works.