Even if it should be the first thing checking and protecting such a feature
for malicious usage i fear that this feature was pushed by people at Adobe
who want see PDF as an internet-standard for as most a possible things -
careless of drawbacks like undetectable malicious content.
If Adobe wouldn't publish the "embedded, encrpyted PDF"-howto I believe it
wouldn't become widely used. If the publish this info, virus writers mabe
would be one of the first to use it.
Zip's containing scripts in order to bypass file-extension blockings in fact
would be a problem for a "small zip file with suspicious content blocking"
But I think we must do here something because durring the latest virus wave
a week ago some viruses has passed our filters - and I fear not only ours
but also most others. If virus writters note that this will work the next
wave will be specialized on this tecnique.
Markus
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Tuesday, April 26, 2005 9:19 PM
To: [email protected]
Subject: Re: [Declude.Virus] Adobe PDF embedded attachemt
Marcus,
IMO, it would be jumping the gun to start blocking before the
exploits started to arrive, but it would be a good idea to research it to
some extent. It may be that it is impractical for virus writers to utilize
this format due to the complexity of generating such a file, and virus
scanners can pick up viruses in encrypted zips for instance when they aren't
randomized. The PDF encoding may be sufficiently complicated for this that
they must use pre-generated files that could be picked up without any
modifications. Like encrypted zips, it may also be possible for Declude to
pick up executable files within encrypted PDFs, and I would assume that they
shouldn't be in there in the first place. Of course all of this is just
speculation on my part, but one would of course hope that unlike the
compression software companies, Adobe would have considered the potential of
this being exploited.
Personally I believe that the #1 impending problem may be more
viruses using linked payloads in the future where the executable or
exploited scripting is hosted on the infected machine. We have already seen
several of these spread and some success, and spammers have been using links
to exploited pages to install spyware (viruses) for over a year and a half
now. Since most viruses will likely use the IP address for the link in such
an attack, and since some AV companies have already started coding
definitions that catch this type of content, I have requested that Declude
include a linked IP as a qualifying hit with PRESCAN ON so that it will send
the message to the virus scanners. This has also been discussed here in the
past.
Regarding the small zips with executables, I can certainly see a
good reason for this being that some of us tell our customers and those that
they correspond with to zip up executables otherwise they will be blocked
with a notification. Some are in fact small, especially scripts. Knowing
the size of the zip and potentially the included file extension is however
an important heuristic that can be used in combination with other things to
detect what is likely a virus that may have passed the virus scanning.
Matt
Markus Gufler wrote:
Although Adobe recommends enabling scanning all file
types in
order to scan a PDF (and ass/u/me'ing its embedded
contents
as well), an AV scanner is not currently going to be
able to
scan this encrypted content until the content has
been
rendered/unencrypted at the desktop.
Is there any info from Adobe or any AV-company about the
ability/possibility
to scan and detect such encrypted content.
If there is any possibilty to detect encrypted PDFs I think
declude should
be prepared to add "BANEXT ePDF" to the config file before
there will appear
the first worms...
At this point maybe I can place also the feature request
that we can block
certain (archiving) file types if they have a small size and
a suspicious
file inside. For example all ZIP-files below 100 kB and any
executable file
inside. This should help to block new virus variants until
there are
available appropriate signatures from the AV-companies. I'm
not 100% sure
but I can't imagine why someone should send a legit zip-file
having a small
executable inside.
Markus
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED],
and
type "unsubscribe Declude.Virus". The archives can be
found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
