* subscribe at http://techPolice.com

New virus travels in PDF files

By Stephen Shankland

Staff Writer, CNET News.com

August 7, 2001, 7:45 p.m. PT


Adobe's popular PDF file format--known to anyone who's ever called up a tax form on 
the IRS Web site--has generally been considered immune to viruses. But a new virus 
carried by programs embedded in PDF files raises concerns that the format itself could 
become susceptible.

On Tuesday morning, Network Associates' McAfee antivirus division became aware of the 
first virus--known as "Peachy"--that uses PDF to spread, said Vincent Gullotto, senior 
director of McAfee's Avert group.

Fortunately, those who are simply viewing a PDF, or Portable Document Format, file 
aren't vulnerable. The virus spreads only by way of Adobe's Acrobat software--the 
program used to create PDF documents--not through Acrobat Reader, the free program 
that is used to view the files.

"There is no way for this to affect Acrobat Reader," said Adobe's Sarah Rosenbaum, 
director of Acrobat product management. "The code in Acrobat that recognizes 
attachments does not exist in Reader."

Peachy exploits an Acrobat feature that allows people to embed other files within a 
PDF--attachments that can be opened only by people using Acrobat.

"Right now it's considered to be a low risk because we haven't seen it reported to us 
from a customer," Network Associates' Gullotto said.

But the Peachy virus raises the issue that PDF files--widely used to display documents 
within Web browsers and e-mail--could become a new channel for spreading viruses.

"What I'm concerned about here is that this could be a new frontier," said Richard 
Smith, chief technology officer of the Privacy Foundation. "It's considered to be a 
safe file format." Smith posted news of the virus to the Bugtraq security mailing list 

It's clear that if Adobe modified future versions of Reader so that it could read 
attachments embedded in PDF files, the program could fall victim to Peachy's 

Rosenbaum said that while it's possible Adobe might add attachment-handling capability 
in future editions of Acrobat Reader, the company has no immediate plans to do so.

Smith said he believes Acrobat Reader software ultimately could prove susceptible in 
any case. Indeed, the Computer Emergency Response Team posted news of a vulnerability 
in the Windows version of Acrobat in November 2000 that could let an outside attacker 
gain control over the computer of a person who simply viewed a PDF file. Adobe patched 
that hole.

Adobe said any popular software becomes a target for security attacks and Acrobat has 
crossed that threshold.

"I think the attraction...has reached a critical level recently," Rosenbaum said. 
"It's only been in the last 18 to 24 months that PDF...use has really exploded."

How Peachy works
Acrobat lets people embed different file types within a PDF, including everything from 
the VBScript programs--used in the LoveLetter virus--to an actual executable program, 
Gullotto said.

Peachy is named after a small game in a PDF file that involves finding peaches, 
Gullotto said. According to a person called Zulu, who said he wrote Peachy, showing 
the solution to the game runs a VBScript file.

The virus then spreads to others using e-mail addresses collected from Microsoft 
Outlook, Gullotto said. Using PDF bypasses the filters in newer versions of Outlook 
that ordinarily screen out VBScript files.

Through an agreement with Adobe announced in June, McAfee's software is able to scan 
PDF files, Gullotto said. However, as with other virus types, the software isn't 
always able to catch new viruses until its definitions are updated.

Updated virus descriptions released by McAfee next week will be able to detect Peachy, 
Gullotto said.

But Adobe doesn't currently plan to prevent VBScript or other files from running.

To prevent Peachy from being able to run, "the change we would have to make is not to 
allow VBScript attachments. That is a problem for a lot of our customers," she said. 
"If they change their opinion, we will do what they want."

Users with the full version of Acrobat will have to exercise caution when opening 
attachments to PDF files. However, opening attachments isn't automatic: A cautionary 
dialog box asks if the user wants to proceed.

Experience The Plaza Hotel for only $175, and discover the
hospitality, luxury spa and fine dining that have made The
Plaza an icon of style and prestige. Offer ends 8/31/01.

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email To: [EMAIL PROTECTED]
This email was sent to: archive@jab.org

T O P I C A -- Register now to manage your mail!

Reply via email to