Security researcher Brandon Dixon has discovered that attackers can thwart detection by most common anti-virus software if they encode malicious PDF files in the XDP format. XDP is an XML-based file format which includes the PDF as a Base64-encoded data stream. XDP files are opened by Adobe Reader just like a normal PDF would be and can therefore infect systems in the same way.

It has been common knowledge for a while that anti-virus software is relatively easy to fool, but that a simple encoding does the trick is still surprising. Dixon's test document, which uses a two-year-old security vulnerability in Adobe Reader, was only detected by one anti-virus package in his tests. After experimenting with the XDP format, he was able to create another file that fooled all 42 anti-virus engines used on VirusTotal.

The exploit Dixon used has long since been patched. In his blog, he writes: "The exploit is old. The JavaScript is not encoded. This should be fixed." To make sure their networks are not attacked, users should avoid XDP files in general until Adobe patches its software or the anti-virus companies fix their detection methods. A commenter on Dixon's blog post points out that this kind of exploit has been known about publicly since at least the beginning of 2011.

(fab)