XDP wraps the PDF into an XML format, and in doing so hides any malicious content from an anti-virus scan. It's not a new discovery, and Dixon refers to a report from early last year where Alexander Klink noted that 13 out of 42 anti-virus products detected a particular malicious PDF; but none of 43 AV products detected the same file wrapped in XDP.
Dixon confirmed similar results and added, "It's unfortunate that this problem A) still exists and B) still has the same results with no detection by Anti-virus companies."
But this isn't necessarily a problem. "It depends on your point of view," PandaLabs technical director Luis Corrons told Infosecurity. "When a user opens an XDP file it will create a PDF in a temporary file – so any desktop anti-virus can detect the PDF at that moment without having to create any detection for the XDP." And that's without the behavior-blocking ability of most modern AVs - which will detect and prevent the exploit from dropping an executable file.
"On the other hand, however," added Corrons, if your security concentrates on gateway solutions filtering emails, "as a user you would like to have that stopped at that level."
But again it is not a problem. "Why not simply block all XDP files at the gateway?" asks Adam Thomas, malware research supervisor at GFI Software. "No one emails XDP files around so far as we know."
For the record, however, AVAST told Infosecurity that it immediately added an XDP extraction routine to its anti-virus product.