V
Virus Guy
Leythos said:
Perhaps the recent PDF malware can be detected without implimenting a
complete PDF decoding/rendering engine.
Perhaps the recent PDF malware can be detected without implimenting a
complete PDF decoding/rendering engine.
J
jen
Virus Guy said:
The recent PDF SPAM run is *not* malware. It's just *SPAM*...
-jen
L
Leythos
Then you're just not seeing it with the tools you have. I've seen plenty
listed as Generic.Peed.Eml by several products.
--
Leythos - (e-mail address removed) (remove 999 to email me)
Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.
J
jen
Leythos said:
Don't you mean detected only by BitDefender(as generic)?. Probably
FP... Did you submit them to any other AV companies? Virus Total?
Jotti?
Recent change in Stock-Spam Tactics (PDF and excel):
http://isc.sans.org/diary.html?storyid=3177
-jen
L
Leythos
Nope, they were not detected as the above until last week, and most of
them are still just PDF's without malware. Only certain ones are malware
carriers - taking advantage of some new PDF exploit that I read about a
couple weeks ago.
--
Leythos - (e-mail address removed) (remove 999 to email me)
Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.
V
Virus Guy
The PDF examples I've seen from a week or two ago were for Chinese
stocks - which is strange given that the spam was in english (text,
not image-based). You'd think that the target audience for chinese
stock spam would be Asia (if not china/hongkong/taiwan) and would have
been in kanji.
"This group appears to target German stock market."
So was the spam in English, or German?
"You have also likely noted their shift in tactics from a simple
text message in the PDF over to encoded images in the PDF (to
foil pdf2text-like tools, I presume.)"
Why the reference to "pdf2text" convertor tools?
A statement like that raises the question as to whether or not the PDF
format is proprietary, even from an exploit or spam-detection point of
view.
Any PDF's that were/are truly PDF (not exploits) wouldn't be flagged
by AV software or AV sites as malware. Doesn't matter if they're spam
or not.
stocks - which is strange given that the spam was in english (text,
not image-based). You'd think that the target audience for chinese
stock spam would be Asia (if not china/hongkong/taiwan) and would have
been in kanji.
"This group appears to target German stock market."
So was the spam in English, or German?
"You have also likely noted their shift in tactics from a simple
text message in the PDF over to encoded images in the PDF (to
foil pdf2text-like tools, I presume.)"
Why the reference to "pdf2text" convertor tools?
A statement like that raises the question as to whether or not the PDF
format is proprietary, even from an exploit or spam-detection point of
view.
Any PDF's that were/are truly PDF (not exploits) wouldn't be flagged
by AV software or AV sites as malware. Doesn't matter if they're spam
or not.
K
kurt wismer
Virus said:
and gateway filters can prevent the spam from reaching entire domains...
??? ok, so pdf content is auto-rendered as the entire page instead of
just a portion, is that distinction really significant?
in that unlikely event then it will not be effective...
i'm going to go out on a limb here and guess that you believe that pdf's
are only used by a technically sophisticated minority rather than the
majority...
this in spite the fact that pdf long ago became the de facto standard
for printable documents from government forms to online product
documentation to press releases and reports and to bus schedules and
route maps (not to mention the fact that it's a major e-book format,
that sample chapters from conventional books are released in that
format, and that it comes pre-installed on machines from dell)...
if you *really* believe that only a technically sophisticated minority
are likely to be consumers of printable documents then i don't think
this need go any further...
J
jen
Leythos said:
Could you elaborate(and provide a cite) on this "new PDF exploit" you
read about a couple weeks ago that this so-called malware that only
BitDefender detects(generically) takes advantage of? The last PDF
vulnerability AFAIK was reported in January ...
Adobe Reader/Acrobat Multiple Vulnerabilities:
http://secunia.com/advisories/23483/?show_all_related=1#related
-jen
L
Leythos
Nope, just surfing and read about it, didn't bookmark it or even care
where, sorry. As for the BitDefender, I can only say that few of the
other AV solutions have alerted on the new ones, but we still see both,
so there must be some difference in the PDF's - I'm not about to let one
through to play with it
--
Leythos - (e-mail address removed) (remove 999 to email me)
Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.
J
jen
[snip]
And what other AVs besides BitDefender has reported them as malware, and
as what?
-jen
Nope, just surfing and read about it, didn't bookmark it or even care
where, sorry. As for the BitDefender, I can only say that few of the
other AV solutions have alerted on the new ones, but we still see
both,
so there must be some difference in the PDF's - I'm not about to let
one
through to play with it
And what other AVs besides BitDefender has reported them as malware, and
as what?
-jen
L
Leythos
[snip]Nope, just surfing and read about it, didn't bookmark it or even care
where, sorry. As for the BitDefender, I can only say that few of the
other AV solutions have alerted on the new ones, but we still see
both,
so there must be some difference in the PDF's - I'm not about to let
one
through to play with it
And what other AVs besides BitDefender has reported them as malware, and
as what?
I think that KAP picked up on a PDF in a users PST file (not one of our
customers, a friend of a friend that brought their computer over for me
to look at), but I don't have it or the report with me now...
Sorry, when it comes to most of this crap I don't even bother looking
past the reject logs, to many years of trying to determine what they
wanted it to do and just getting old and not caring any more.
--
Leythos - (e-mail address removed) (remove 999 to email me)
Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.
D
David W. Hodgins
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3387
Affects many open source implementations of pdf readers. Not acroread,
afaik.
Regards, Dave Hodgins
J
jen
Leythos said:I think that KAP picked up on a PDF in a users PST file (not one of[snip]And what other AVs besides BitDefender has reported them as malware,Could you elaborate(and provide a cite) on this "new PDF exploit"
you
read about a couple weeks ago that this so-called malware that
only
BitDefender detects(generically) takes advantage of? The last PDF
vulnerability AFAIK was reported in January ...
Adobe Reader/Acrobat Multiple Vulnerabilities:
http://secunia.com/advisories/23483/?show_all_related=1#related
Nope, just surfing and read about it, didn't bookmark it or even
care
where, sorry. As for the BitDefender, I can only say that few of
the
other AV solutions have alerted on the new ones, but we still see
both,
so there must be some difference in the PDF's - I'm not about to
let
one
through to play with it
and
as what?
our
customers, a friend of a friend that brought their computer over for
me
to look at), but I don't have it or the report with me now...
Sorry, when it comes to most of this crap I don't even bother looking
past the reject logs, to many years of trying to determine what they
wanted it to do and just getting old and not caring any more.
So you don't really have anything(other than the BitDefender generic
catch) to back up your statement that the PDF SPAM runs are anything
other than SPAM. You didn't even submit the suspects to Virus Total or
Jotti. hmmm... not very convincing
-jen
L
Leythos
So you don't really have anything(other than the BitDefender generic
catch) to back up your statement that the PDF SPAM runs are anything
other than SPAM. You didn't even submit the suspects to Virus Total or
Jotti. hmmm... not very convincing
Sorry, between blocking attachements at the firewall, passing all
attachments through 5 AV products, blocking email sent from many
subnets, etc... I just don't even bother with checking them any more.
--
Leythos - (e-mail address removed) (remove 999 to email me)
Fight exposing kids to porn, complain about sites like PCBUTTS1.COM that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive/index.php/t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.
V
Virus Guy
jen said:
Here is a list of (all?) known Acrobat vulnerabilities:
http://secunia.com/search/?search=acrobat&sort_by=date
The most recent being reported in March.
It could be that it was only recently that some of these began to be
found in circulation.
I'm assuming that an acrobat vulnerability = PDF exploit
V
Virus Guy
kurt said:
And gateway filters are more likely to run heavy-duty, sophisticated
filters that can quickly stop even a PDF spam run.
I've never seen PDF content being auto-rendered either as it's own
page or as a component of page unlike other components of a typical
web page (ie like html code, java script, JPG or GIF images, etc).
In my experience, PDF material (PDF files) are always presented only
as links that require the user to click on them in order to view them.
What browser has the option of rendering PDF files "in-line" ?
I believe that those that do go out and install a pdf reader are less
likely to be spam responders (or spam readers) than those that don't
have a pdf reader on their computer.
I've never said that only a technically-sophisticated minority are PDF
users/readers (that's your embellishment). However, I do believe that
was more true in the past than it is now. Arguably Google has played
a role in making the PDF format more common and exposing it to more
people by presenting PDF material in it's search results.
That it is a common format for many useful or important documents it
not the issue.
The fact remains that some (or many) home computer users may never use
their computers in such a was that would see them needing to obtain or
open a PDF file, much less installing a PDF reader if not already
present on their system.
Clearly this conversation pertains to situations (or the implications)
of a PDF reader NOT being pre-installed by a vendor, and certainly
it's inescapable that Microsoft has not seen fit to include a PDF
reader as part of their OS's despite the universality of the format as
you point out.
Don't take this thread off on a tangent by inventing hyperbole.
V
Virus Guy
David W. Hodgins said:
Is there a date on the above-quoted CVE?
Does secunia list vulnerabilities according to file type or file
format (as opposed to application programs or operating systems)?
D
David W. Hodgins
From the above page ...
BUGTRAQ:20070813 [SECURITY] [DSA 1354-1] New gpdf packages fix arbitrarycode execution
Candidate assigned on 20070625
So, the fixes were released August 13th, for a bug assigned on June 25th..
The vulnerabilities, are in the software, not the file format, so
it wouldn't make sense to list them by file type.
Regards, Dave Hodgins
J
jen
Affects only *nix PDF viewers...
-jen
J
jen
Virus Guy said:
That's a SunOS problem...
-jen