Schneier on Security
A blog covering security and security technology.
« Censorship in Dubai |
| Giving Out Replacement Hotel Keys »
November 13, 2008
Watching a Malware Author Work
Using the incremental update feature of pdf files to watch a malware author create his exploit.
Posted on November 13, 2008 at 6:04 AM
• 7 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The scary part (at least to me) is the unique ID.
I'm having the same problem :-)
Randy: in a pdf, it looks like you need to assign the resulting id, or the gc clobbers the calls.
Anybody know how the unique ID is actualy calculated?
Is it by some usefull method like CPU ID + MAC Address, or some other "pin the tail on the donkey" method?
@clive Robinson Per Adobe's PDF Reference:
File identifiers are defined by the optional ID entry in a PDF file’s trailer dic-
tionary (see Section 3.4.4, “File Trailer”; see also implementation note 162 in
Appendix H). The value of this entry is an array of two byte strings. The first byte
string is a permanent identifier based on the contents of the file at the time it was
originally created and does not change when the file is incrementally updated.
The second byte string is a changing identifier based on the file’s contents at the
time it was last updated. When a file is first written, both identifiers are set to the
same value. If both identifiers match when a file reference is resolved, it is very
likely that the correct file has been found. If only the first identifier matches, a
different version of the correct file has been found.
To help ensure the uniqueness of file identifiers, it is recommend that they be
computed by means of a message digest algorithm such as MD5 (described in In-
ternet RFC 1321, The MD5 Message-Digest Algorithm; see the Bibliography), us-
ing the following information (see implementation note 163 in Appendix H):
• The current time
• A string representation of the file’s location, usually a pathname
• The size of the file in bytes
• The values of all entries in the file’s document information dictionary (see
Section 10.2.1, “Document Information Dictionary”)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.