New .PDF malware (?)

[Virus Guy]

I've received two e-mails today with the following characteristics:

Sending ip: 70.91.136.218, 83.174.248.144
Subject: (blank - no subject text)
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)

No visible message body, only an attachment with one of these names:

message.zip (21,722 bytes)
request.zip (7.385 bytes)

They decompress to (respectively):
message.pdf (22,902 bytes, Friday Aug 3, 12:11:54 pm)
request.pdf (8,884 bytes, Friday Aug 3, 8:25:36 pm)

Both were submitted to VirusTotal (9:20 pm EST) and both showed 100%
clean
scan results.

Both files begin with this text:

%PDF-1.1

And contain this text within the first 200 bytes:

/Kids [3 0 R 4 0 R 5 0 R 6 0 R 7 0 R 8 0 R 9 0 R]
or
/Kids [3 0 R 4 0 R 5 0 R]

Either this is some new form of spam (where the message body is
contained in PDF file) or this is some new form of .PDF malware.

I can't see this as just a plain spam, delivered as a .PDF (because it
requires user intervention to render the body).

 

[Russg]

I've received two e-mails today with the following characteristics:

Sending ip: 70.91.136.218, 83.174.248.144
Subject: (blank - no subject text)
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)

No visible message body, only an attachment with one of these names:

message.zip (21,722 bytes)
request.zip (7.385 bytes)

They decompress to (respectively):
message.pdf (22,902 bytes, Friday Aug 3, 12:11:54 pm)
request.pdf (8,884 bytes, Friday Aug 3, 8:25:36 pm)

Both were submitted to VirusTotal (9:20 pm EST) and both showed 100%
clean
scan results.

Both files begin with this text:

I can't see this as just a plain spam, delivered as a .PDF (because it
requires user intervention to render the body).

I've gotten those. They show up in my inbox and get past yahoo spam filter,
but they are spam for sure.

 

[Beauregard T. Shagnasty]

Either this is some new form of spam (where the message body is
contained in PDF file) or this is some new form of .PDF malware.

I can't see this as just a plain spam, delivered as a .PDF (because it
requires user intervention to render the body).

The spammers have been sending PDF spam - and now PDF spam in a zip file
- for several months. It's just a new way to get by the spam filters.

It's working. But it is still just spam.

 

[Virus Guy]

:

The spammers have been sending PDF spam - and now PDF spam in
a zip file - for several months. It's just a new way to get by
the spam filters.

I've asked this before regarding PDF files, and what OS component is
associated with viewing/rendering them (like tiff's or jpeg's or gif's
or xml, etc).

Spammers are wasting their time if it takes several apps and a little
manipulation for an end-user to actually lay their eyeballs on the
spam payload. I can't see the ergonomics of this working smoothly
when the spammer encodes his payload in a PDF file - and then wraps it
inside a .ZIP archive. Even if a user has a preview pane turned on,
he's not going to "see" the spam. So why go through all the hassle?

I've seen lots of .jpg and .gif spam, and given all the ways they can
render text as an image file, rotate it, add a little bit of speckle,
I can't see how a mail filter can be effective against that sort of
delivery mechanism to the point that they have to now resort to
something as stupid as a PDF wrapped in a ZIP file.

?

 

[Beauregard T. Shagnasty]

:
[Virus Guy wrote:]

The spammers have been sending PDF spam - and now PDF spam in a zip
file - for several months. It's just a new way to get by the spam
filters.

I've asked this before regarding PDF files, and what OS component is
associated with viewing/rendering them (like tiff's or jpeg's or
gif's or xml, etc).

Depends on the recipient's setup, of course. Many will have Acrobat
Reader, and late-model OS's will have unzip capabilities.

Spammers are wasting their time if it takes several apps and a little
manipulation for an end-user to actually lay their eyeballs on the
spam payload. I can't see the ergonomics of this working smoothly
when the spammer encodes his payload in a PDF file - and then wraps
it inside a .ZIP archive. Even if a user has a preview pane turned
on, he's not going to "see" the spam. So why go through all the
hassle?

Perhaps they feel that if they are getting through the filters, they
have succeeded. I suppose they feel that working to see it is better
than not receiving it at all. Maybe they will tire of it soon.

I've seen lots of .jpg and .gif spam, and given all the ways they can
render text as an image file, rotate it, add a little bit of speckle,
I can't see how a mail filter can be effective against that sort of
delivery mechanism to the point that they have to now resort to
something as stupid as a PDF wrapped in a ZIP file.

Personally, I don't like filters reading my content. Reading headers is
ok. One of my ISPs successfully traps these PDF spams because it blocks
just about any sender who is not a bonafide mail server; another that
uses SpamAssassin misses them.

 

[kurt wismer]

I've asked this before regarding PDF files, and what OS component is
associated with viewing/rendering them (like tiff's or jpeg's or gif's
or xml, etc).

there is no built in viewer for pdf's... you need to either install
adobe acrobat reader (which most people already have) or foxit pdf
reader (which people who are fed up with adobe already have)...

Spammers are wasting their time if it takes several apps and a little

it takes one app and it's an app that many people already have installed
because they've had to deal with pdf's before - in part because pdf's
are a standard way of distributing official documents...

manipulation for an end-user to actually lay their eyeballs on the
spam payload. I can't see the ergonomics of this working smoothly
when the spammer encodes his payload in a PDF file - and then wraps it
inside a .ZIP archive. Even if a user has a preview pane turned on,
he's not going to "see" the spam. So why go through all the hassle?

spam works in spite of the fact that a vanishingly small percentage of
the addressees actually see or respond to (by way of purchasing
whatever) the spam... the reason it works is because of the huge volume
sent out by any given spammer....

I've seen lots of .jpg and .gif spam, and given all the ways they can
render text as an image file, rotate it, add a little bit of speckle,
I can't see how a mail filter can be effective against that sort of
delivery mechanism to the point that they have to now resort to
something as stupid as a PDF wrapped in a ZIP file.

and yet ocr spam filters have been effective against many of those image
spam techniques...

it's not just compressed pdf's they're trying now, there's also word and
excel documents (and i'm sure powerpoint or some other format will be
soon to follow)...

 

[Virus Guy]

there is no built in viewer for pdf's... you need to either
install adobe acrobat reader (which most people already have)
or foxit pdf reader (which people who are fed up with adobe
already have)...

How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
installed? (just wondering)

And when such software is installed, does it mean that your system
will render PDF's as thumbnails when looking at directory content, or
will index material inside a PDF when performing a text search on a
system?

When you receive an e-mail with an attached PDF, will the PDF
automatically be rendered in the preview pane like a gif or jpeg can
be?

I'm asking about the level of PDF integration of a typical system, way
beyond an app like acrobat.

it takes one app and it's an app that many people already have
installed because they've had to deal with pdf's before

Even when it's a zipped PDF?

spam works ... (numbers argument)

You still haven't addressed the fact that if it doesn't auto-open or
auto-render itself, your "vanishingly small" percentage of spam
responders just got even smaller. There becomes a point when
dimishing returns results in less of a return than the effort that
went into it. All the zombies that just spewed that useless e-mail
have now been blacklisted on various RBL's. That's a real cost to
spammers.

and yet ocr spam filters have been effective against many of
those image spam techniques...

Can you point to any web-resource that corroborates that statement?

 

[Postman Delivers]

How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
installed? (just wondering)

Most PC's old or new with a linux operating systems come with Sun's Open
Office that will ask if you want it to open the PDF file...

JR the postman

 

[Virus Guy]

Most PC's old or new with a linux operating systems come with
Sun's Open Office that will ask if you want it to open the
PDF file...

Not exactly the data point I was looking for. Not a particularly
useful data point at that...

 

[kurt wismer]

How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
installed? (just wondering)

how can i explain to you what a stupid question that is? acrobat is a
program that *A LOT* of people install after getting their computers
(though, i suspect it actually may come on dell computers)... anyone who
needs to deal with a pdf file (and, as i said, it's become a defacto
standard for official documents) are basically forced to install
acrobat unless they're fortunate enough to know of an alternative...

And when such software is installed, does it mean that your system
will render PDF's as thumbnails when looking at directory content, or
will index material inside a PDF when performing a text search on a
system?

no to both...

When you receive an e-mail with an attached PDF, will the PDF
automatically be rendered in the preview pane like a gif or jpeg can
be?

no, you have to click on it - which people who deal with pdf's have been
trained to do... i'm sorry if pdf's are foreign to you, but that's how
people interact with pdf's in the real world...

I'm asking about the level of PDF integration of a typical system, way
beyond an app like acrobat.

the integration stops at being able to click on a pdf link on the web
and have the document open in your browser window (which is really just
the acrobat browser plug-in rendering the document)...

Even when it's a zipped PDF?

yes, even when it's a zipped pdf because xp has native support for zip
compression...

You still haven't addressed the fact that if it doesn't auto-open or
auto-render itself, your "vanishingly small" percentage of spam
responders just got even smaller.

doesn't matter because of what you so eloquently dubbed the numbers
argument...

but as a point of fact, people actually are more likely to open pdf's
precisely because most of them have never heard of pdf-based image spam
before and are instead accustomed to pdf's only ever being official
documents (which implies they're important)...

There becomes a point when
dimishing returns results in less of a return than the effort that
went into it.

and your misunderstanding resides in the assumption that effort goes
into it... a spammer can easily send out millions of spams each day...

All the zombies that just spewed that useless e-mail
have now been blacklisted on various RBL's. That's a real cost to
spammers.

???? more misunderstanding... if you blacklisted every domain (or even
just ip's) with zombies on them you'd wind up blacklisting every isp in
existence... rbl's don't do that because they know it's pointless...
isp's try to stomp out the zombies on their networks but for each one
they take out another one pops up so no isp of any significant size will
ever be free of zombies...

on top of that, not everyone uses rbl's to mitigate spam...

Can you point to any web-resource that corroborates that statement?

http://www.virusbtn.com/spambulletin/archive/2006/11/sb200611-image

 

[Mac Cool]

kurt wismer:

it actually may come on dell computers

it does

 

[Dave Cohen]

kurt wismer:


it does

And anything else that is mass marketed. I send out a newsletter using
..pdf and every recipient already had acrobat (sometimes a pretty old
version though).
Dave Cohen

 

[Virus Guy]

how can i explain to you what a stupid question that is?

You are stupid for mis-interpreting it.

acrobat is a program that *A LOT* of people install after
getting their computers

No shit sherlock. That's not the answer to my question.

no, you have to click on it - which people who deal with pdf's
have been trained to do... i'm sorry if pdf's are foreign to
you, but that's how people interact with pdf's in the real world

Don't be a smart-ass. The point I'm making is that if you're a
spammer, you want your recipients to see your shit. People are MORE
prone to NOT click on something in e-mail, moreso than they are PRONE
to act like a trained dog and click on an attachment just because it's
a PDF.

???? more misunderstanding... if you blacklisted every domain

RBL's don't black-list domains

(or even just ip's) with zombies on them you'd wind up
blacklisting every isp in existence... rbl's don't do
that because they know it's pointless...

DNSRBL's do exactly that. They blacklist IP addresses. Individual IP
addresses.

isp's try to stomp out the zombies on their networks

These days, few if any ISP's do that.

http://www.virusbtn.com/spambulletin/archive/2006/11/sb200611-image

Interesting page, but I see no examples of slightly-rotated text that
is common in most image spams these days. I'm looking at a recent
spam where the background is multi-hued blue and the text is in red
letters (Discount Pharmacy online) the drug names are in white
(Viagra, Cialis, Ambien, etc) and the prices are in orange-yellow
($2.00 mostly).

As these images comes closer to replicating captcha, the OCR software
will have no chance.

 

[kurt wismer]

You are stupid for mis-interpreting it.


No shit sherlock. That's not the answer to my question.

because the question illustrates what emerson was talking about in his
famous quote about a foolish consistency... while it is generally true
that a dependency on software that didn't come pre-installed hurts one's
success rates, it's not always true...

moreover it's not the only part of the equation the spammers are looking
at... as good or bad as client-side anti-spam may be, gateway filters
take huge chunks out of the pool of potential recipients so the balance
between ease of use by the recipient and obfuscation from the filters is
shifting to favour obfuscation...

Don't be a smart-ass. The point I'm making is that if you're a
spammer, you want your recipients to see your shit.

and the point i'm making is that acrobat is virtually standard *in
spite* of not necessarily coming pre-installed...

People are MORE
prone to NOT click on something in e-mail, moreso than they are PRONE
to act like a trained dog and click on an attachment just because it's
a PDF.

spammers have always had a poor penetration rate with their
advertisements... if the new obfuscation reduces it they'll just do what
they've always done - make it up on volume...

RBL's don't black-list domains


DNSRBL's do exactly that. They blacklist IP addresses. Individual IP
addresses.

yeah, that's real useful in the dynamic ip world of home users where
most zombies are found...

These days, few if any ISP's do that.

in my part of the world they do...

Interesting page, but I see no examples of slightly-rotated text that
is common in most image spams these days. I'm looking at a recent
spam where the background is multi-hued blue and the text is in red
letters (Discount Pharmacy online) the drug names are in white
(Viagra, Cialis, Ambien, etc) and the prices are in orange-yellow
($2.00 mostly).

As these images comes closer to replicating captcha, the OCR software
will have no chance.

well, i'm no ocr spam filter developer... i just see a bunch of
techniques that one might naively assume would foil ocr but which ocr
has none-the-less overcome so when you say that rotation is one that ocr
*can't* overcome i'll have to take a page out of your book and ask if
you've got a web-resource that corroborates that statement...

(and frankly, when i was working in face recognition, slight rotation
was not a problem so i don't see why it should be a problem for
character recognition)

 

[Virus Guy]

because the question illustrates what emerson ....

The question stands on it's own and is separate from the implications
of it's answer.

foolish consistency...

Which you exhibit constantly.

and the point i'm making is that acrobat is virtually standard
*in spite* of not necessarily coming pre-installed...

PDF's are still an ergonomically poor way to convey spam payload given
the lack of automatic rendering. They may be in use now because the
PDF format is somewhat proprietary. Commercial server and client-side
filter software may not have permission or the license from Adobe to
impliment PDF decoding routines that are necessary for content
inspection (but you would think it would be in Adobe's best interest
to provide it to them gratis).

spammers have always had a poor penetration rate with their
advertisements... if the new obfuscation reduces it they'll
just do what they've always done - make it up on volume...

Volume is not necessarily something they can increase when-ever they
want. Presumably they are always operating at 100% of their volume
capability anyways.

yeah, that's real useful in the dynamic ip world of home
users where most zombies are found...

If you want to run an RBL that people will use and trust not to give
them false positives, you have no choice but to track spam sources at
the individual IP level. I believe that there are RBL's that will
return the status of an IP (whether it lies in a static or dynamic
range assignment, or whether it belongs to a residential ISP) which a
mail server can use as the basis to block mail from said IP.

in my part of the world they do...

Then why don't they block port-25 on their outbound? Why are the big
US cable and telco providers of residential internet service still the
biggest sources of trojanized spam bots? If they don't block port-25,
why can't they at least detect spam runs as they happen, and put rate
limits on them? Why can't they detect a spam run in progress by
looking for inordinate amounts of MX lookups being made by an infected
customer?

What exactly does a given ISP do when they learn about spam being
emitted by one of their several-million customers? Do they call the
customer? Send them an e-mail? Perform an on-site service call?
Please explain what happens in your part of the world.

 

[Fenton]

PDF's are still an ergonomically poor way to convey spam payload given
the lack of automatic rendering. They may be in use now because the
PDF format is somewhat proprietary. Commercial server and client-side
filter software may not have permission or the license from Adobe to
impliment PDF decoding routines that are necessary for content
inspection (but you would think it would be in Adobe's best interest
to provide it to them gratis).

I'm pretty certain the PDF specification is open to the public.

 

[kurt wismer]

ok, maybe i can explain this in a simpler way...

first:
a spammer has 2 choices, he can make his spam more readable so that the
people who do manage to receive it don't have to put as much work into
reading it, or he can make his spam more obfuscated so that it gets past
filters and reaches more inboxes...

while better readability is no guarantee of greater sales, less reach
*is* a guarantee of fewer sales...

second:
while pdf viewers may not be technically a standard part of the os they
are *effectively* a standard part of the os... just as flash-based ads
on the web are effective despite flash not coming pre-installed,
pdf-based spam can be effective without acrobat coming pre-installed...
when it comes to formats this popular the question of whether the reader
comes pre-installed simply does not matter...

kurt wismer wrote: [snip]

and the point i'm making is that acrobat is virtually standard
*in spite* of not necessarily coming pre-installed...

PDF's are still an ergonomically poor way to convey spam payload given
the lack of automatic rendering. They may be in use now because the
PDF format is somewhat proprietary. Commercial server and client-side
filter software may not have permission or the license from Adobe to
impliment PDF decoding routines that are necessary for content
inspection (but you would think it would be in Adobe's best interest
to provide it to them gratis).

no, the pdf format is more open than that... pdf is used as a spam
obfuscation technique simply because it's novel enough that existing
filters didn't have any handling for it yet...

Volume is not necessarily something they can increase when-ever they
want. Presumably they are always operating at 100% of their volume
capability anyways.

ummm, no... increasing volume can be as easy as building a bigger botnet...

[snip]

Then why don't they block port-25 on their outbound? Why are the big
US cable and telco providers of residential internet service still the
biggest sources of trojanized spam bots? If they don't block port-25,
why can't they at least detect spam runs as they happen, and put rate
limits on them? Why can't they detect a spam run in progress by
looking for inordinate amounts of MX lookups being made by an infected
customer?

What exactly does a given ISP do when they learn about spam being
emitted by one of their several-million customers? Do they call the
customer? Send them an e-mail? Perform an on-site service call?
Please explain what happens in your part of the world.

they cut off the customer's internet access... when the customer calls
to complain they inform the customer why their access was cut off and
tell them what they need to do to get it turned back on... the customer
may or may not be successful at removing the bot but with the internet
access cut off the zombie has been removed from the network...

someone i used to work with encountered this very situation with a large
isp known as rogers...

i understand that at least one 'solution' provider has developed
technology that would give isp's the power to let such affected
customers connect in a restricted fashion such that the only thing
they'd be able to do would be download tools the isp made available for
correcting the problem... unfortunately i can't think of the name right
now...

 

[Virus Guy]

I'm pretty certain the PDF specification is open to the public.

But do AV vendors have the ability to incorporate PDF decoding
routines into their software without paying Adobe for a license fee?

 

[Virus Guy]

first:
a spammer has 2 choices, he can make his spam more readable

but more filterable

or he can make his spam more obfuscated

less likely to be auto-filtered, but also less likely to be opened

while better readability is no guarantee of greater sales,
less reach *is* a guarantee of fewer sales...

Reach is a function of the size of a spam run. That being equal, it
becomes a question as to what spam will suffer more from filtering vs
from failure to open the attachment.

while pdf viewers may not be technically a standard part of
the os they are *effectively* a standard part of the os...
just as flash-based ads on the web are effective despite
flash not coming pre-installed,

Poor example.

Flash content is (usually) auto-rendered on a web page. PDF content
is NOT auto-rendered as a component of a page being viewed.

pdf-based spam can be effective without acrobat coming
pre-installed...

And if it remains un-installed on a given system - what then?

when it comes to formats this popular the question of whether
the reader comes pre-installed simply does not matter...

You are not correctly appraising the importance or exposure of the PDF
format to the typical person who responds to spam.

I could say that people who knowingly install acrobat on their systems
probably belong to the demographic of people who are least likely to
act on or respond to spam.

 

[Leythos]

But do AV vendors have the ability to incorporate PDF decoding
routines into their software without paying Adobe for a license fee?

Our email filtering system, GFI Mail Essentials and Security catches the
malware in them, and they don't appear to be licensed with Adobe.

--
Leythos - (e-mail address removed) (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.