Attackers can stave off detection of most common antivirus (AV) software if they encode malicious PDF files in the XDP format.
XDP is an XML-based file format which includes the PDF as a Base64-encoded data stream. Adobe Reader will open XDP files just like a normal PDF and can therefore infect systems in the same way, said security researcher Brandon Dixon.
Antivirus software can be relatively easy to fool, but the idea simple encoding can get through is interesting.
In Dixon’s test document, which uses a two-year-old security vulnerability in Adobe Reader, one antivirus package detected the exploit. After experimenting with the XDP format, he was able to create another file that fooled all 42 antivirus engines used on VirusTotal.
Adobe patched the exploit Dixon used quite a while ago.
To make sure their networks do not suffer an attack, users should avoid XDP files in general until Adobe patches its software or the antivirus companies fix their detection methods. A commenter on Dixon’s blog did say this kind of exploit has been out in the industry since the beginning of last year.