New .PDF malware (?)

"Beauregard T. Nasty" wrote:


> > I can't see this as just a plain spam, delivered as a .PDF
> > (because it requires user intervention to render the body).
>
> The spammers have been sending PDF spam - and now PDF spam in
> a zip file - for several months. It's just a new way to get by
> the spam filters.

I've asked this before regarding PDF files, and what OS component is
associated with viewing/rendering them (like tiff's or jpeg's or gif's
or xml, etc).

Spammers are wasting their time if it takes several apps and a little
manipulation for an end-user to actually lay their eyeballs on the
spam payload. I can't see the ergonomics of this working smoothly
when the spammer encodes his payload in a PDF file - and then wraps it
inside a .ZIP archive. Even if a user has a preview pane turned on,
he's not going to "see" the spam. So why go through all the hassle?

I've seen lots of .jpg and .gif spam, and given all the ways they can
render text as an image file, rotate it, add a little bit of speckle,
I can't see how a mail filter can be effective against that sort of
delivery mechanism to the point that they have to now resort to
something as stupid as a PDF wrapped in a ZIP file.

?
 >> Stay informed about: New .PDF malware (?) 

Virus Guy wrote:
> "Beauregard T. Nasty" wrote:
>>> I can't see this as just a plain spam, delivered as a .PDF
>>> (because it requires user intervention to render the body).
>> The spammers have been sending PDF spam - and now PDF spam in
>> a zip file - for several months. It's just a new way to get by
>> the spam filters.
>
> I've asked this before regarding PDF files, and what OS component is
> associated with viewing/rendering them (like tiff's or jpeg's or gif's
> or xml, etc).

there is no built in viewer for pdf's... you need to either install
adobe acrobat reader (which most people already have) or foxit pdf
reader (which people who are fed up with adobe already have)...

> Spammers are wasting their time if it takes several apps and a little

it takes one app and it's an app that many people already have installed
because they've had to deal with pdf's before - in part because pdf's
are a standard way of distributing official documents...

> manipulation for an end-user to actually lay their eyeballs on the
> spam payload. I can't see the ergonomics of this working smoothly
> when the spammer encodes his payload in a PDF file - and then wraps it
> inside a .ZIP archive. Even if a user has a preview pane turned on,
> he's not going to "see" the spam. So why go through all the hassle?

spam works in spite of the fact that a vanishingly small percentage of
the addressees actually see or respond to (by way of purchasing
whatever) the spam... the reason it works is because of the huge volume
sent out by any given spammer....

> I've seen lots of .jpg and .gif spam, and given all the ways they can
> render text as an image file, rotate it, add a little bit of speckle,
> I can't see how a mail filter can be effective against that sort of
> delivery mechanism to the point that they have to now resort to
> something as stupid as a PDF wrapped in a ZIP file.

and yet ocr spam filters have been effective against many of those image
spam techniques...

it's not just compressed pdf's they're trying now, there's also word and
excel documents (and i'm sure powerpoint or some other format will be
soon to follow)...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: New .PDF malware (?) 

kurt wismer wrote:

> there is no built in viewer for pdf's... you need to either
> install adobe acrobat reader (which most people already have)
> or foxit pdf reader (which people who are fed up with adobe
> already have)...

How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
installed? (just wondering)

And when such software is installed, does it mean that your system
will render PDF's as thumbnails when looking at directory content, or
will index material inside a PDF when performing a text search on a
system?

When you receive an e-mail with an attached PDF, will the PDF
automatically be rendered in the preview pane like a gif or jpeg can
be?

I'm asking about the level of PDF integration of a typical system, way
beyond an app like acrobat.

> > Spammers are wasting their time if it takes several apps and
> > a little
>
> it takes one app and it's an app that many people already have
> installed because they've had to deal with pdf's before

Even when it's a zipped PDF?

> spam works ... (numbers argument)

You still haven't addressed the fact that if it doesn't auto-open or
auto-render itself, your "vanishingly small" percentage of spam
responders just got even smaller. There becomes a point when
dimishing returns results in less of a return than the effort that
went into it. All the zombies that just spewed that useless e-mail
have now been blacklisted on various RBL's. That's a real cost to
spammers.

> > I can't see how a mail filter can be effective against that
> > sort of delivery mechanism to the point that they have to
> > now resort to something as stupid as a PDF wrapped in a ZIP
> > file.
>
> and yet ocr spam filters have been effective against many of
> those image spam techniques...

Can you point to any web-resource that corroborates that statement?
 >> Stay informed about: New .PDF malware (?) 

On Sat, 04 Aug 2007 19:55:48 -0400, Virus Guy wrote:

> kurt wismer wrote:
>
>> there is no built in viewer for pdf's... you need to either
>> install adobe acrobat reader (which most people already have)
>> or foxit pdf reader (which people who are fed up with adobe
>> already have)...
>
> How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
> installed? (just wondering)
>

Most PC's old or new with a linux operating systems come with Sun's Open
Office that will ask if you want it to open the PDF file...

JR the postman
 >> Stay informed about: New .PDF malware (?) 

Postman Delivers wrote:

> > How many mass-market PC's (Dell, Gateway, etc) come with
> > Acrobat installed? (just wondering)
>
> Most PC's old or new with a linux operating systems come with
> Sun's Open Office that will ask if you want it to open the
> PDF file...

Not exactly the data point I was looking for. Not a particularly
useful data point at that...
 >> Stay informed about: New .PDF malware (?) 

Virus Guy wrote:
> kurt wismer wrote:
>
>> there is no built in viewer for pdf's... you need to either
>> install adobe acrobat reader (which most people already have)
>> or foxit pdf reader (which people who are fed up with adobe
>> already have)...
>
> How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
> installed? (just wondering)

how can i explain to you what a stupid question that is? acrobat is a
program that *A LOT* of people install after getting their computers
(though, i suspect it actually may come on dell computers)... anyone who
needs to deal with a pdf file (and, as i said, it's become a defacto
standard for official documents) are basically forced to install
acrobat unless they're fortunate enough to know of an alternative...

> And when such software is installed, does it mean that your system
> will render PDF's as thumbnails when looking at directory content, or
> will index material inside a PDF when performing a text search on a
> system?

no to both...

> When you receive an e-mail with an attached PDF, will the PDF
> automatically be rendered in the preview pane like a gif or jpeg can
> be?

no, you have to click on it - which people who deal with pdf's have been
trained to do... i'm sorry if pdf's are foreign to you, but that's how
people interact with pdf's in the real world...

> I'm asking about the level of PDF integration of a typical system, way
> beyond an app like acrobat.

the integration stops at being able to click on a pdf link on the web
and have the document open in your browser window (which is really just
the acrobat browser plug-in rendering the document)...

>>> Spammers are wasting their time if it takes several apps and
>>> a little
>> it takes one app and it's an app that many people already have
>> installed because they've had to deal with pdf's before
>
> Even when it's a zipped PDF?

yes, even when it's a zipped pdf because xp has native support for zip
compression...

>> spam works ... (numbers argument)
>
> You still haven't addressed the fact that if it doesn't auto-open or
> auto-render itself, your "vanishingly small" percentage of spam
> responders just got even smaller.

doesn't matter because of what you so eloquently dubbed the numbers
argument...

but as a point of fact, people actually are more likely to open pdf's
precisely because most of them have never heard of pdf-based image spam
before and are instead accustomed to pdf's only ever being official
documents (which implies they're important)...

> There becomes a point when
> dimishing returns results in less of a return than the effort that
> went into it.

and your misunderstanding resides in the assumption that effort goes
into it... a spammer can easily send out millions of spams each day...

> All the zombies that just spewed that useless e-mail
> have now been blacklisted on various RBL's. That's a real cost to
> spammers.

???? more misunderstanding... if you blacklisted every domain (or even
just ip's) with zombies on them you'd wind up blacklisting every isp in
existence... rbl's don't do that because they know it's pointless...
isp's try to stomp out the zombies on their networks but for each one
they take out another one pops up so no isp of any significant size will
ever be free of zombies...

on top of that, not everyone uses rbl's to mitigate spam...

>>> I can't see how a mail filter can be effective against that
>>> sort of delivery mechanism to the point that they have to
>>> now resort to something as stupid as a PDF wrapped in a ZIP
>>> file.
>> and yet ocr spam filters have been effective against many of
>> those image spam techniques...
>
> Can you point to any web-resource that corroborates that statement?

http://www.virusbtn.com/spambulletin/archive/2006/11/sb200611-image

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: New .PDF malware (?) 

kurt wismer:

> it actually may come on dell computers

it does

--
Mac Cool
 >> Stay informed about: New .PDF malware (?) 

Mac Cool wrote:
> kurt wismer:
>
>> it actually may come on dell computers
>
> it does
>
And anything else that is mass marketed. I send out a newsletter using
..pdf and every recipient already had acrobat (sometimes a pretty old
version though).
Dave Cohen
 >> Stay informed about: New .PDF malware (?) 

On Aug 17, 2007, Virus Guy wrote:
> PDF's are still an ergonomically poor way to convey spam payload given
> the lack of automatic rendering. They may be in use now because the
> PDF format is somewhat proprietary. Commercial server and client-side
> filter software may not have permission or the license from Adobe to
> impliment PDF decoding routines that are necessary for content
> inspection (but you would think it would be in Adobe's best interest
> to provide it to them gratis).

I'm pretty certain the PDF specification is open to the public.
 >> Stay informed about: New .PDF malware (?) 

ok, maybe i can explain this in a simpler way...

first:
a spammer has 2 choices, he can make his spam more readable so that the
people who do manage to receive it don't have to put as much work into
reading it, or he can make his spam more obfuscated so that it gets past
filters and reaches more inboxes...

while better readability is no guarantee of greater sales, less reach
*is* a guarantee of fewer sales...

second:
while pdf viewers may not be technically a standard part of the os they
are *effectively* a standard part of the os... just as flash-based ads
on the web are effective despite flash not coming pre-installed,
pdf-based spam can be effective without acrobat coming pre-installed...
when it comes to formats this popular the question of whether the reader
comes pre-installed simply does not matter...

Virus Guy wrote:
> kurt wismer wrote:
[snip]
>> and the point i'm making is that acrobat is virtually standard
>> *in spite* of not necessarily coming pre-installed...
>
> PDF's are still an ergonomically poor way to convey spam payload given
> the lack of automatic rendering. They may be in use now because the
> PDF format is somewhat proprietary. Commercial server and client-side
> filter software may not have permission or the license from Adobe to
> impliment PDF decoding routines that are necessary for content
> inspection (but you would think it would be in Adobe's best interest
> to provide it to them gratis).

no, the pdf format is more open than that... pdf is used as a spam
obfuscation technique simply because it's novel enough that existing
filters didn't have any handling for it yet...

>> spammers have always had a poor penetration rate with their
>> advertisements... if the new obfuscation reduces it they'll
>> just do what they've always done - make it up on volume...
>
> Volume is not necessarily something they can increase when-ever they
> want. Presumably they are always operating at 100% of their volume
> capability anyways.

ummm, no... increasing volume can be as easy as building a bigger botnet...

[snip]
>>>> isp's try to stomp out the zombies on their networks
>>> These days, few if any ISP's do that.
>> in my part of the world they do...
>
> Then why don't they block port-25 on their outbound? Why are the big
> US cable and telco providers of residential internet service still the
> biggest sources of trojanized spam bots? If they don't block port-25,
> why can't they at least detect spam runs as they happen, and put rate
> limits on them? Why can't they detect a spam run in progress by
> looking for inordinate amounts of MX lookups being made by an infected
> customer?
>
> What exactly does a given ISP do when they learn about spam being
> emitted by one of their several-million customers? Do they call the
> customer? Send them an e-mail? Perform an on-site service call?
> Please explain what happens in your part of the world.

they cut off the customer's internet access... when the customer calls
to complain they inform the customer why their access was cut off and
tell them what they need to do to get it turned back on... the customer
may or may not be successful at removing the bot but with the internet
access cut off the zombie has been removed from the network...

someone i used to work with encountered this very situation with a large
isp known as rogers...

i understand that at least one 'solution' provider has developed
technology that would give isp's the power to let such affected
customers connect in a restricted fashion such that the only thing
they'd be able to do would be download tools the isp made available for
correcting the problem... unfortunately i can't think of the name right
now...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 >> Stay informed about: New .PDF malware (?) 

Fenton wrote:

> I'm pretty certain the PDF specification is open to the public.

But do AV vendors have the ability to incorporate PDF decoding
routines into their software without paying Adobe for a license fee?
 >> Stay informed about: New .PDF malware (?) 

Kurt wismer wrote:

> first:
> a spammer has 2 choices, he can make his spam more readable

but more filterable

> or he can make his spam more obfuscated

less likely to be auto-filtered, but also less likely to be opened

> while better readability is no guarantee of greater sales,
> less reach *is* a guarantee of fewer sales...

Reach is a function of the size of a spam run. That being equal, it
becomes a question as to what spam will suffer more from filtering vs
from failure to open the attachment.

> while pdf viewers may not be technically a standard part of
> the os they are *effectively* a standard part of the os...
> just as flash-based ads on the web are effective despite
> flash not coming pre-installed,

Poor example.

Flash content is (usually) auto-rendered on a web page. PDF content
is NOT auto-rendered as a component of a page being viewed.

> pdf-based spam can be effective without acrobat coming
> pre-installed...

And if it remains un-installed on a given system - what then?

> when it comes to formats this popular the question of whether
> the reader comes pre-installed simply does not matter...

You are not correctly appraising the importance or exposure of the PDF
format to the typical person who responds to spam.

I could say that people who knowingly install acrobat on their systems
probably belong to the demographic of people who are least likely to
act on or respond to spam.
 >> Stay informed about: New .PDF malware (?) 

In article <46C8676A.F67502BF.TakeThisOut@Guy.com>, Virus.TakeThisOut@Guy.com says...
> Fenton wrote:
>
> > I'm pretty certain the PDF specification is open to the public.
>
> But do AV vendors have the ability to incorporate PDF decoding
> routines into their software without paying Adobe for a license fee?

Our email filtering system, GFI Mail Essentials and Security catches the
malware in them, and they don't appear to be licensed with Adobe.

--
Leythos - spam999free.TakeThisOut@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.
 >> Stay informed about: New .PDF malware (?)