New .PDF malware (?)

[kurt wismer]

And gateway filters are more likely to run heavy-duty, sophisticated
filters that can quickly stop even a PDF spam run.

round and round we go... i've already said that the spammers went with
pdf due to novelty... i never said it was a technique that was going to
be effective in the long term...

I've never seen PDF content being auto-rendered either as it's own
page or as a component of page unlike other components of a typical
web page (ie like html code, java script, JPG or GIF images, etc).

In my experience, PDF material (PDF files) are always presented only
as links that require the user to click on them in order to view them.

What browser has the option of rendering PDF files "in-line" ?

again, round and round we go... the acrobat reader includes a browser
plugin that allows you to read pdf files right in your browser...

I believe that those that do go out and install a pdf reader are less
likely to be spam responders (or spam readers) than those that don't
have a pdf reader on their computer.

so you choose to believe that spam 'users' are less likely to be pdf
'users' to a significant enough degree to make this distinction worth
pursuing... somehow spam 'users' don't need government forms or product
documentation or any of those other things that require a pdf viewer...

i think you're reading too much into the fact that they respond to
spam... i see no reason why they should be significantly different from
the average user as far as pdf reader deployment goes...

I've never said that only a technically-sophisticated minority are PDF
users/readers (that's your embellishment).

it's a reasonable 'embellishment' as only the technically
unsophisticated would respond to spam...

However, I do believe that
was more true in the past than it is now. Arguably Google has played
a role in making the PDF format more common and exposing it to more
people by presenting PDF material in it's search results.

true, but it generally allows the user to 'view as html' and as such
doesn't necessarily drive people to install pdf readers...

That it is a common format for many useful or important documents it
not the issue.

The fact remains that some (or many) home computer users may never use
their computers in such a was that would see them needing to obtain or
open a PDF file, much less installing a PDF reader if not already
present on their system.

the fact that it is a common format for many useful or important
documents means that many people are going to be users... the fact that
it has such a wide variety of uses means that it will have a broad pool
of users rather than being arbitrarily limited to more narrow subsets of
the population...

Clearly this conversation pertains to situations (or the implications)
of a PDF reader NOT being pre-installed by a vendor,

no, clearly this conversation pertains to how *insignificant* those
situations are to the spammer... the spammer chooses a format that will
get his message into as many inboxes as possible so as to give him the
greatest chance of having it viewed - so long as neither filters nor
people expect spam in pdf form and so long as people think pdf is a safe
format they will click just to figure out what the heck it is... it's
usefulness will be short lived but that's why many have already moved on
to other formats...

 

[Virus Guy]

again, round and round we go... the acrobat reader includes a
browser plugin that allows you to read pdf files right in your
browser...

Why are you incapable of understanding a simple concept?

I'm trying to point out to you that PDF code or PDF files are not
automatically rendered in-line as a component of a web page and that
they must be clicked on by the user in order to be rendered. That
they can THEN be rendered within the browser by a plugin is
irrelavent.

I'll try to make this simple for you.

If I view a web page that contains code to display a graphic bitmap
(say, a jpeg or gif file) I will see the bitmap when I view the web
page. I will NOT see a link to the bitmap that requires me to click
on it to see it (unless that's how the web-author wants it to work).

In contrast, PDF files are never rendered "in-line", automatically, as
part of webpage content like a gif or jpeg bitmap.

so you choose to believe that spam 'users' are less likely to
be pdf 'users' to a significant enough degree to make this
distinction worth pursuing...

The home PC is common enough to be used by a wide range of people for
a wide range of reasons. When we dissect and analyze things at this
level, in the absense of other information, if I just had something as
basic as the presence or absense of an installed pdf reader, if I had
to form an opinion as to who is more likely to be spam-friendly, I
would say it's the people without a PDF reader installed.

somehow spam 'users' don't need government forms or product
documentation or any of those other things that require a
pdf viewer...

Perhaps those people are kids or teenagers with PC's in their
bedrooms. Perhaps they're senior citizens who have their kids do
their taxes for them. I would expect (more often than not) both
groups to not have PDF readers installed on their computers (unless it
came pre-installed on them anyways). I would expect both groups to be
more naive when it comes to spam as opposed to other groups - more
likely to at least open and read it.

i think you're reading too much into the fact that they
respond to spam... i see no reason why they should be
significantly different from the average user as far as
pdf reader deployment goes...

If the lack of an installed PDF reader on a system is an indication of
a new or novice computer user, then that demographic is also more
likely to be unfamiliar with spam in all it's forms and appearances,
and will (over time) presumably install a PDF reader on their system,
and just as likely over time to recognize and ignore spam.

Again, it's not like I'm saying that the presence or absense of a PDF
reader on a given system is "the gold standard" reference for who will
be a spam reader/responder.

I think we agree that resorting to the PDF format may be better (in
the short term) for spammers to get their spam through to end users,
but it's not a desirable format to insure they actually see the
payload.

I'm going an extra step by saying that systems with PDF readers on
them are more likely to be owned and operated by those that are (even
slightly) more likely to recognize and delete spam without even
reading it.

true, but it generally allows the user to 'view as html'
and as such doesn't necessarily drive people to install
pdf readers...

I guess you like to argue with everything I say?

Fine. Here's a counter-argument.

The "view as html" is a very poor substitute vs viewing the original
PDF document, so I wouldn't expect a given user to persistently view
PDF files as html for very long before deciding to install a PDF
reader.

the fact that it is a common format for many useful or
important documents means that many people are going to
be users...

So what are you saying?

That the number of systems currently without an installed PDF reader
is zero?

the fact that it has such a wide variety of uses means
that it will have a broad pool of users

You're now arguing that a PDF reader is likely to be installed on the
majority of systems. I'm not disputing that. I would tend to agree,
and the fact that it comes pre-installed by some large vendors
certainly helps that argument.

But I'm betting that there are systems out there that don't have it
installed.

If you know of any hard stats on this, then post them here. Here's
one:

http://www.planetpdf.com/forumarchive/86169.asp

no, clearly this conversation pertains to how *insignificant*
those situations are to the spammer...

Isin't that an implication of whether or not a PDF reader is installed
(by the vendor)? Which is what I said above, to which you answered
"no" ?

the spammer chooses a format that will get his message into
as many inboxes as possible ...

That, and the rest of that paragraph, is mostly obvious.

I don't buy the argument that PDF spam has a "clickability" advantage
that makes it (even slightly) more likely for the average reader to
open it just because it's a pdf. If that were true, we would be
seeing more executable attachments masquerading as PDF attachments.

 

[kurt wismer]

Why are you incapable of understanding a simple concept?

I'm trying to point out to you that PDF code or PDF files are not
automatically rendered in-line as a component of a web page and that
they must be clicked on by the user in order to be rendered. That
they can THEN be rendered within the browser by a plugin is
irrelavent.

that pdf links have to be clicked on before the pdf can be rendered is
just as irrelevant... i have to click on links to websites to get them
to render too, so there is no difference from a user's perspective...

I'll try to make this simple for you.

If I view a web page that contains code to display a graphic bitmap
(say, a jpeg or gif file) I will see the bitmap when I view the web
page. I will NOT see a link to the bitmap that requires me to click
on it to see it (unless that's how the web-author wants it to work).

In contrast, PDF files are never rendered "in-line", automatically, as
part of webpage content like a gif or jpeg bitmap.

no page is rendered automatically except your home page, ever other page
is one you arrive at by clicking somewhere or typing in a url...
conventional web pages and pdf's are identical in this behaviour...

The home PC is common enough to be used by a wide range of people for
a wide range of reasons. When we dissect and analyze things at this
level, in the absense of other information, if I just had something as
basic as the presence or absense of an installed pdf reader, if I had
to form an opinion as to who is more likely to be spam-friendly, I
would say it's the people without a PDF reader installed.

once again i say you're reading too much into things... i see no reason
to make the correlation you're making here between the absence of a pdf
reader and the likelihood of responding to spam... if that is what your
gut is telling you then fine, but i don't trust your gut...

Perhaps those people are kids or teenagers with PC's in their
bedrooms.

yeah, because kids (who are generally lauded as being *more* savvy than
their parents) are the spam users...

Perhaps they're senior citizens who have their kids do
their taxes for them.

there's more to government forms than just taxes...

I would expect (more often than not) both
groups to not have PDF readers installed on their computers (unless it
came pre-installed on them anyways).

i would expect kids (teenagers especially) to have pdf readers in order
to read papers they need to read to do homework and school projects...
did i neglect to mention that pdf's are used a lot for research papers too?

I would expect both groups to be
more naive when it comes to spam as opposed to other groups - more
likely to at least open and read it.

i don't see any reason to make age-based correlations with spam use...
experience-based correlations, perhaps (people who are new to the
internet are more likely to open spam than those who have been using it
frequently for 6+ months), but not age-based ones...

If the lack of an installed PDF reader on a system is an indication of
a new or novice computer user,

a new or novice computer user may very well have a system where a pdf
reader is pre-installed because 'dude, you got a dell'...

a new or novice computer user is more likely to have gotten a system
pre-loaded with all kinds of things s/he doesn't need precisely because
they're novices...

[snip]

I think we agree that resorting to the PDF format may be better (in
the short term) for spammers to get their spam through to end users,
but it's not a desirable format to insure they actually see the
payload.

given all the various obfuscation techniques that have been used in the
past, do you really think the spammers care that much about optimizing
readability?

I'm going an extra step by saying that systems with PDF readers on
them are more likely to be owned and operated by those that are (even
slightly) more likely to recognize and delete spam without even
reading it.

and those that bought from dell (or any other company that pre-loads
lots of 'useful' things to add value for the consumer)...

I guess you like to argue with everything I say?

Fine. Here's a counter-argument.

The "view as html" is a very poor substitute vs viewing the original
PDF document, so I wouldn't expect a given user to persistently view
PDF files as html for very long before deciding to install a PDF
reader.

i persistently use the view as html option, but i also persistently use
the view cache option as well... why? because then my search terms are
automagically highlighted for me...

if someone doesn't have a pdf reader installed and had the choice of
clicking on the view as html option or installing a pdf reader and then
clicking the search result, i would guess most would click on the view
as html option because it requires less clicks and less work... are they
missing something by not using a real pdf reader? sure, but they aren't
likely to know they're missing something because they aren't frequent
enough consumers of pdf documents to have a pdf reader installed...

So what are you saying?

That the number of systems currently without an installed PDF reader
is zero?

now who's embellishing?

You're now arguing that a PDF reader is likely to be installed on the
majority of systems. I'm not disputing that. I would tend to agree,
and the fact that it comes pre-installed by some large vendors
certainly helps that argument.

But I'm betting that there are systems out there that don't have it
installed.

and i'm betting that at least one bear shits in the woods...

of course there are systems that don't have it, but the correlations
you're making between not having it and responding to spam don't seem
well founded to me...

[snip]

Isin't that an implication of whether or not a PDF reader is installed
(by the vendor)? Which is what I said above, to which you answered
"no" ?

no, and the reason is because you keep tying it exclusively to
pre-installation of the reader... you refuse to acknowledge the
possibility that pre-installation might be a non-sequitur in this case...

many sites that link to pdf documents link to the acrobat reader on the
same page to help the newbies and that drives user installation rates...

That, and the rest of that paragraph, is mostly obvious.

I don't buy the argument that PDF spam has a "clickability" advantage
that makes it (even slightly) more likely for the average reader to
open it just because it's a pdf. If that were true, we would be
seeing more executable attachments masquerading as PDF attachments.

just because it hasn't happened yet doesn't mean it won't...

 

[Dustin Cook]

The question stands on it's own and is separate from the implications
of it's answer.


Which you exhibit constantly.


PDF's are still an ergonomically poor way to convey spam payload given
the lack of automatic rendering. They may be in use now because the
PDF format is somewhat proprietary. Commercial server and client-side
filter software may not have permission or the license from Adobe to
impliment PDF decoding routines that are necessary for content
inspection (but you would think it would be in Adobe's best interest
to provide it to them gratis).

Actually, there are various open source pdf readers and writers. Adobe
has no licensing issues with this as far as I know. They wanted pdf to be
adopted, and so it has.

Volume is not necessarily something they can increase when-ever they
want. Presumably they are always operating at 100% of their volume
capability anyways.

Bad assumption. Network congestion, etc may play a big role in it. I
don't know anybody who runs the server/bandwidth trunk at max fulltime.

If you want to run an RBL that people will use and trust not to give
them false positives, you have no choice but to track spam sources at
the individual IP level. I believe that there are RBL's that will
return the status of an IP (whether it lies in a static or dynamic
range assignment, or whether it belongs to a residential ISP) which a
mail server can use as the basis to block mail from said IP.

However, the mail server can be given the wrong information. The IP isn't
set in stone. Case in point, A mail server I run here strips all
originating IP's when you send a message thru it. Various others may be
setup in a similiar fashion. If anything, you'd get the servers IP, not
that of it's users.

Then why don't they block port-25 on their outbound? Why are the big
US cable and telco providers of residential internet service still the
biggest sources of trojanized spam bots? If they don't block port-25,

What gives them or you the right to block outbound ports? I'm paying for
unlimited access. If I want to run a server, I will. Various ISPs allow
this. The reason so many residential machines are the trojanized spam
bots is due to the sheer amount of ignorant users who for whatever
reason, won't heed the advice that's been offered for years. If I caught
my ISP blocking any of my incoming/outgoing connections, I'd drop them in
a heartbeat; and they know it.

If i was on dialup, I'd have no real need to run a server. But I'm on
broadband, and I don't need broadband just to surf the web or download
things. I use it for work as well. I like highspeed access to my network
at home from anywhere I might happen to be, and that requires outbound
communication.

If you let them start blocking port 25 to protect users, they might start
blocking other commonly used ports to "protect users". Ie, your yahoo
client no longer works, but your msn one does. This wouldn't be good for
anybody.

why can't they at least detect spam runs as they happen, and put rate
limits on them? Why can't they detect a spam run in progress by
looking for inordinate amounts of MX lookups being made by an infected
customer?

How can they tell the difference between a spam bot, or an email server
processing a large legitimate mailing list?

What exactly does a given ISP do when they learn about spam being
emitted by one of their several-million customers? Do they call the
customer? Send them an e-mail? Perform an on-site service call?
Please explain what happens in your part of the world.

The ISP here doesn't do very much. They will send you an email to your
isp email account; that hardly anyone actually sets up to use. If the
problem isn't resolved, your cable modem goes down and you wind up
calling them to see what the problem is. At that point, they tell you
your computer has a problem and it has to be checked out by a
technician/store and then you have to show them you had this done. Then
they turn your connection back on. They do not attempt to educate the
user so that this doesn't happen again.

As an experiment, 1 year ago, I had a computer here ping flood a machine
at another site for over 4 days before the cable co noticed this.
Luckily I had permission to do this, but thats just an example of how
concerned they are.




--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[Dustin Cook]

But do AV vendors have the ability to incorporate PDF decoding
routines into their software without paying Adobe for a license fee?

I'm sure they do. The format is open, anybody can write a util to
read/write the file. Do a google search sometime, you might learn a thing
or two.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[Dustin Cook]

Then you're just not seeing it with the tools you have. I've seen plenty
listed as Generic.Peed.Eml by several products.

And if you examine the file, it's not really a pdf at all; It's a renamed
executable.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[Dustin Cook]

The PDF examples I've seen from a week or two ago were for Chinese
stocks - which is strange given that the spam was in english (text,
not image-based). You'd think that the target audience for chinese
stock spam would be Asia (if not china/hongkong/taiwan) and would have
been in kanji.

"This group appears to target German stock market."

So was the spam in English, or German?

"You have also likely noted their shift in tactics from a simple
text message in the PDF over to encoded images in the PDF (to
foil pdf2text-like tools, I presume.)"

Why the reference to "pdf2text" convertor tools?

A statement like that raises the question as to whether or not the PDF
format is proprietary, even from an exploit or spam-detection point of
view.

Cripes...
http://www.adobe.com/products/acrobat/adobepdf.html

Now quit saying it's proprietary.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[Dustin Cook]

The question stands on it's own and is separate from the implications
of it's answer.


Which you exhibit constantly.


PDF's are still an ergonomically poor way to convey spam payload given
the lack of automatic rendering. They may be in use now because the
PDF format is somewhat proprietary. Commercial server and client-side
filter software may not have permission or the license from Adobe to
impliment PDF decoding routines that are necessary for content
inspection (but you would think it would be in Adobe's best interest
to provide it to them gratis).


Volume is not necessarily something they can increase when-ever they
want. Presumably they are always operating at 100% of their volume
capability anyways.


If you want to run an RBL that people will use and trust not to give
them false positives, you have no choice but to track spam sources at
the individual IP level. I believe that there are RBL's that will
return the status of an IP (whether it lies in a static or dynamic
range assignment, or whether it belongs to a residential ISP) which a
mail server can use as the basis to block mail from said IP.


Then why don't they block port-25 on their outbound? Why are the big
US cable and telco providers of residential internet service still the
biggest sources of trojanized spam bots? If they don't block port-25,

Where do you get this information from? Much spam I find isn't from the
usa at all.



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[Fenton]

But do AV vendors have the ability to incorporate PDF decoding
routines into their software without paying Adobe for a license fee?

Yes.

 

[Fenton]

What browser has the option of rendering PDF files "in-line" ?

Safari for Macintosh, at least.

 

[Fenton]

that pdf links have to be clicked on before the pdf can be rendered is
just as irrelevant... i have to click on links to websites to get them
to render too, so there is no difference from a user's perspective...

I think Virus Guy was trying to say this: Sure there is, because you can't
wrap anything around it. One click can take you to a page with text and an
image ... OR a link to a PDF that opens in it's own "page" ... but you can't
single to a page with text and have a PDF appear on that page. You might have
a link to a PDF, but not the PDF itself."

Then, Kurt said well, you gotta click anyway....

But both of you are wrong, of sorts: You can indeed embed a PDF. It's just
that no one does it, and some browsers show you only the first page.

 

[kurt wismer]

sorry for the late reply, i haven't been giving myself a lot of time to
do much outside of home reno...

I think Virus Guy was trying to say this: Sure there is, because you can't
wrap anything around it. One click can take you to a page with text and an
image ... OR a link to a PDF that opens in it's own "page" ... but you can't
single to a page with text and have a PDF appear on that page. You might have
a link to a PDF, but not the PDF itself."

not to put too fine a point on it, but the user doesn't know anything
about wrapping content around other content... you're thinking like a
developer...

Then, Kurt said well, you gotta click anyway....

But both of you are wrong, of sorts: You can indeed embed a PDF. It's just
that no one does it, and some browsers show you only the first page.

you'd still have to click on a link to take you to the page where it's
embedded...