New .PDF malware (?)

Virus Guy · External Since: Aug 05, 2005 Posts: 407

I've received two e-mails today with the following characteristics:

Sending ip: 70.91.136.218, 83.174.248.144
Subject: (blank - no subject text)
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)

No visible message body, only an attachment with one of these names:

message.zip (21,722 bytes)
request.zip (7.385 bytes)

They decompress to (respectively):
message.pdf (22,902 bytes, Friday Aug 3, 12:11:54 pm)
request.pdf (8,884 bytes, Friday Aug 3, 8:25:36 pm)

Both were submitted to VirusTotal (9:20 pm EST) and both showed 100%
clean
scan results.

Both files begin with this text:

%PDF-1.1

And contain this text within the first 200 bytes:

/Kids [3 0 R 4 0 R 5 0 R 6 0 R 7 0 R 8 0 R 9 0 R]
or
/Kids [3 0 R 4 0 R 5 0 R]

Either this is some new form of spam (where the message body is
contained in PDF file) or this is some new form of .PDF malware.

I can't see this as just a plain spam, delivered as a .PDF (because it
requires user intervention to render the body).

Virus Guy · External Since: Aug 05, 2005 Posts: 407

"Beauregard T. Nasty" wrote:

> > I can't see this as just a plain spam, delivered as a .PDF
> > (because it requires user intervention to render the body).
>
> The spammers have been sending PDF spam - and now PDF spam in
> a zip file - for several months. It's just a new way to get by
> the spam filters.

I've asked this before regarding PDF files, and what OS component is
associated with viewing/rendering them (like tiff's or jpeg's or gif's
or xml, etc).

Spammers are wasting their time if it takes several apps and a little
manipulation for an end-user to actually lay their eyeballs on the
spam payload. I can't see the ergonomics of this working smoothly
when the spammer encodes his payload in a PDF file - and then wraps it
inside a .ZIP archive. Even if a user has a preview pane turned on,
he's not going to "see" the spam. So why go through all the hassle?

I've seen lots of .jpg and .gif spam, and given all the ways they can
render text as an image file, rotate it, add a little bit of speckle,
I can't see how a mail filter can be effective against that sort of
delivery mechanism to the point that they have to now resort to
something as stupid as a PDF wrapped in a ZIP file.

?

Russg · External Since: Apr 25, 2007 Posts: 8

"Virus Guy" <> wrote in message news:
> I've received two e-mails today with the following characteristics:
>
> Sending ip: 70.91.136.218, 83.174.248.144
> Subject: (blank - no subject text)
> User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
>
> No visible message body, only an attachment with one of these names:
>
> message.zip (21,722 bytes)
> request.zip (7.385 bytes)
>
> They decompress to (respectively):
> message.pdf (22,902 bytes, Friday Aug 3, 12:11:54 pm)
> request.pdf (8,884 bytes, Friday Aug 3, 8:25:36 pm)
>
> Both were submitted to VirusTotal (9:20 pm EST) and both showed 100%
> clean
> scan results.
>
> Both files begin with this text:
>
> I can't see this as just a plain spam, delivered as a .PDF (because it
> requires user intervention to render the body).
I've gotten those. They show up in my inbox and get past yahoo spam filter,
but they are spam for sure.

kurt wismer · External Since: Jul 04, 2003 Posts: 1496

Virus Guy wrote:
> "Beauregard T. Nasty" wrote:
>>> I can't see this as just a plain spam, delivered as a .PDF
>>> (because it requires user intervention to render the body).
>> The spammers have been sending PDF spam - and now PDF spam in
>> a zip file - for several months. It's just a new way to get by
>> the spam filters.
>
> I've asked this before regarding PDF files, and what OS component is
> associated with viewing/rendering them (like tiff's or jpeg's or gif's
> or xml, etc).

there is no built in viewer for pdf's... you need to either install
adobe acrobat reader (which most people already have) or foxit pdf
reader (which people who are fed up with adobe already have)...

> Spammers are wasting their time if it takes several apps and a little

it takes one app and it's an app that many people already have installed
because they've had to deal with pdf's before - in part because pdf's
are a standard way of distributing official documents...

> manipulation for an end-user to actually lay their eyeballs on the
> spam payload. I can't see the ergonomics of this working smoothly
> when the spammer encodes his payload in a PDF file - and then wraps it
> inside a .ZIP archive. Even if a user has a preview pane turned on,
> he's not going to "see" the spam. So why go through all the hassle?

spam works in spite of the fact that a vanishingly small percentage of
the addressees actually see or respond to (by way of purchasing
whatever) the spam... the reason it works is because of the huge volume
sent out by any given spammer....

> I've seen lots of .jpg and .gif spam, and given all the ways they can
> render text as an image file, rotate it, add a little bit of speckle,
> I can't see how a mail filter can be effective against that sort of
> delivery mechanism to the point that they have to now resort to
> something as stupid as a PDF wrapped in a ZIP file.

and yet ocr spam filters have been effective against many of those image
spam techniques...

it's not just compressed pdf's they're trying now, there's also word and
excel documents (and i'm sure powerpoint or some other format will be
soon to follow)...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Virus Guy · External Since: Aug 05, 2005 Posts: 407

kurt wismer wrote:

> there is no built in viewer for pdf's... you need to either
> install adobe acrobat reader (which most people already have)
> or foxit pdf reader (which people who are fed up with adobe
> already have)...

How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
installed? (just wondering)

And when such software is installed, does it mean that your system
will render PDF's as thumbnails when looking at directory content, or
will index material inside a PDF when performing a text search on a
system?

When you receive an e-mail with an attached PDF, will the PDF
automatically be rendered in the preview pane like a gif or jpeg can
be?

I'm asking about the level of PDF integration of a typical system, way
beyond an app like acrobat.

> > Spammers are wasting their time if it takes several apps and
> > a little
>
> it takes one app and it's an app that many people already have
> installed because they've had to deal with pdf's before

Even when it's a zipped PDF?

> spam works ... (numbers argument)

You still haven't addressed the fact that if it doesn't auto-open or
auto-render itself, your "vanishingly small" percentage of spam
responders just got even smaller. There becomes a point when
dimishing returns results in less of a return than the effort that
went into it. All the zombies that just spewed that useless e-mail
have now been blacklisted on various RBL's. That's a real cost to
spammers.

> > I can't see how a mail filter can be effective against that
> > sort of delivery mechanism to the point that they have to
> > now resort to something as stupid as a PDF wrapped in a ZIP
> > file.
>
> and yet ocr spam filters have been effective against many of
> those image spam techniques...

Can you point to any web-resource that corroborates that statement?

Postman Delivers · External Since: Jun 06, 2007 Posts: 2

On Sat, 04 Aug 2007 19:55:48 -0400, Virus Guy wrote:

> kurt wismer wrote:
>
>> there is no built in viewer for pdf's... you need to either
>> install adobe acrobat reader (which most people already have)
>> or foxit pdf reader (which people who are fed up with adobe
>> already have)...
>
> How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
> installed? (just wondering)
>

Most PC's old or new with a linux operating systems come with Sun's Open
Office that will ask if you want it to open the PDF file...

JR the postman

Virus Guy · External Since: Aug 05, 2005 Posts: 407

Postman Delivers wrote:

> > How many mass-market PC's (Dell, Gateway, etc) come with
> > Acrobat installed? (just wondering)
>
> Most PC's old or new with a linux operating systems come with
> Sun's Open Office that will ask if you want it to open the
> PDF file...

Not exactly the data point I was looking for. Not a particularly
useful data point at that...

kurt wismer · External Since: Jul 04, 2003 Posts: 1496

Virus Guy wrote:
> kurt wismer wrote:
>
>> there is no built in viewer for pdf's... you need to either
>> install adobe acrobat reader (which most people already have)
>> or foxit pdf reader (which people who are fed up with adobe
>> already have)...
>
> How many mass-market PC's (Dell, Gateway, etc) come with Acrobat
> installed? (just wondering)

how can i explain to you what a stupid question that is? acrobat is a
program that *A LOT* of people install after getting their computers
(though, i suspect it actually may come on dell computers)... anyone who
needs to deal with a pdf file (and, as i said, it's become a defacto
standard for official documents) are basically forced to install
acrobat unless they're fortunate enough to know of an alternative...

> And when such software is installed, does it mean that your system
> will render PDF's as thumbnails when looking at directory content, or
> will index material inside a PDF when performing a text search on a
> system?

no to both...

> When you receive an e-mail with an attached PDF, will the PDF
> automatically be rendered in the preview pane like a gif or jpeg can
> be?

no, you have to click on it - which people who deal with pdf's have been
trained to do... i'm sorry if pdf's are foreign to you, but that's how
people interact with pdf's in the real world...

> I'm asking about the level of PDF integration of a typical system, way
> beyond an app like acrobat.

the integration stops at being able to click on a pdf link on the web
and have the document open in your browser window (which is really just
the acrobat browser plug-in rendering the document)...

>>> Spammers are wasting their time if it takes several apps and
>>> a little
>> it takes one app and it's an app that many people already have
>> installed because they've had to deal with pdf's before
>
> Even when it's a zipped PDF?

yes, even when it's a zipped pdf because xp has native support for zip
compression...

>> spam works ... (numbers argument)
>
> You still haven't addressed the fact that if it doesn't auto-open or
> auto-render itself, your "vanishingly small" percentage of spam
> responders just got even smaller.

doesn't matter because of what you so eloquently dubbed the numbers
argument...

but as a point of fact, people actually are more likely to open pdf's
precisely because most of them have never heard of pdf-based image spam
before and are instead accustomed to pdf's only ever being official
documents (which implies they're important)...

> There becomes a point when
> dimishing returns results in less of a return than the effort that
> went into it.

and your misunderstanding resides in the assumption that effort goes
into it... a spammer can easily send out millions of spams each day...

> All the zombies that just spewed that useless e-mail
> have now been blacklisted on various RBL's. That's a real cost to
> spammers.

???? more misunderstanding... if you blacklisted every domain (or even
just ip's) with zombies on them you'd wind up blacklisting every isp in
existence... rbl's don't do that because they know it's pointless...
isp's try to stomp out the zombies on their networks but for each one
they take out another one pops up so no isp of any significant size will
ever be free of zombies...

on top of that, not everyone uses rbl's to mitigate spam...

>>> I can't see how a mail filter can be effective against that
>>> sort of delivery mechanism to the point that they have to
>>> now resort to something as stupid as a PDF wrapped in a ZIP
>>> file.
>> and yet ocr spam filters have been effective against many of
>> those image spam techniques...
>
> Can you point to any web-resource that corroborates that statement?

http://www.virusbtn.com/spambulletin/archive/2006/11/sb200611-image

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Mac Cool · External Since: May 31, 2007 Posts: 10

kurt wismer:

> it actually may come on dell computers

it does

--
Mac Cool

Dave Cohen · External Since: Oct 16, 2004 Posts: 54

Mac Cool wrote:
> kurt wismer:
>
>> it actually may come on dell computers
>
> it does
>
And anything else that is mass marketed. I send out a newsletter using
..pdf and every recipient already had acrobat (sometimes a pretty old
version though).
Dave Cohen