How do .PDF viruses work? Where is a malware website?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I saw Rafter's opined on PDF vector virus/malware / badware in another thre
ad that Dust in had polluted, so I repost in this one.  

I am curious how a PDF virus would work.  On occasion I get updates from Ad
obe Acrobat Reader saying they are trying to close some potential security  
exploit in reading PDF, but I've never heard of a PDF virus.  Anybody?  How
 would that work?  Is there a link to one?  A newspaper article, not a malw
are website.

Speaking of malware websites, where is one that we can test using TotalViru
s to see if it's a bad website?

RL

Re: How do .PDF viruses work? Where is a malware website?

It happens that RayLopez99 formulated :
Quoted text here. Click to load it

Strictly speaking a PDF file is a data file and cannot be infected. So,  
there is no such thing as a PDF "virus". A PDF file could carry a virus  
or be used as a vector to get any other kind of malware. Mostly what I  
have seen are PDF reader exploits that have a 'download and execute'  
payload (which could be a virus) which makes the PDF a trojan  
downloader.

Quoted text here. Click to load it

Here's one example, but *not* a virus. It is exploit based malware and  
viruses don't *need* an exploit.

http://nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/
Quoted text here. Click to load it

VirusTotal is a file submission service, that is entirely different  
from a website rating service.

http://www.malwarehelp.org/freeware-open-source-commercial-website-security-tools-services-downloads.html



Re: How do .PDF viruses work? Where is a malware website?


Quoted text here. Click to load it
http://www.malwarehelp.org/freeware-open-source-commercial-website-security-tools-services-downloads.html
Quoted text here. Click to load it

PDF files can't store executables so that it can't carry a virus but it is  
possible to embed a trojan such as a Wimad although I have not seen this.  
On the same line of documents, I have seen embedded malware in MS Office  
.DOC files but all were trojans and not viruses.  But it is conceivable for  
a .DOC to have contained a Parite or Virut dropper instead or even a  
Zapchast.  Ten years or so ago we had a rash of Macro Viruses in MS Office  
documents and they also crossed OS' (they are pretty much history now).  
Along the same lines, Virut does add code to HTML files to help further the  
spread of its payload.

Specifically with PDF files, they are 99% used in an exploit vector.

While viruses do not "need" an exploit, they may use exploitation to  
increase its effectiveness in spreading its payload.  Examples might be  
GAOBot and RBot.


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How do .PDF viruses work? Where is a malware website?

David H. Lipman formulated the question :
Quoted text here. Click to load it

http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

They're not supposed to be able to 'execute' an embedded executable,  
but they are (or may be) binary.

Quoted text here. Click to load it

I was just trying to say that support for scripting in the  
reader/client opens up the PDF 'data' file to the same sort of thing  
that the DOC 'data' file had with macro support. Any "virus" would be a  
script (or macro in the case of DOC) virus *not* a PDF virus.
Quoted text here. Click to load it

I was trying to stress the point to Ray that "viruses" had to be  
addressed apart from other malware types. A PDF can carry executable  
binary code and script, the script should have limitations imposed upon  
it, and any executable content should not be able to be executed by the  
reader from actions in the same document that contains it.



Re: How do .PDF viruses work? Where is a malware website?


Quoted text here. Click to load it

I'm not in disagreement with anything you wrote.  Just amplifying and  
hopefully clarifying.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How do .PDF viruses work? Where is a malware website?

David H. Lipman laid this down on his screen :
Quoted text here. Click to load it

As you know, Ray is opposed to differentiating viruses from other  
malware. Then, he asks a question where that differentiation is  
important. Opening a PDF might very well result in one having a virus,  
but that does not mean a "PDF virus" exists any more than that an  
"e-mail virus" exists because of some e-mail vector virus.

How are you holding up after all of the bad weather? Hell, it looks  
like your area can't catch a break.



Re: How do .PDF viruses work? Where is a malware website?


Quoted text here. Click to load it

I'm good.  Thanx for asking.
My neighbour's however are f**ked.

This is now the new normal for post-Sandy recovery...
http://multi-av.thespykiller.co.uk/other/IMG_3912.jpg
http://multi-av.thespykiller.co.uk/other/IMG_3915.jpg



--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How do .PDF viruses work? Where is a malware website?

On Sun, 24 Feb 2013 12:14:07 -0500, "David H. Lipman"
viruses work?  Where is a malware website?:

Quoted text here. Click to load it

Wow!  It looks like they are raising that house by about 5'.  Any idea
what something like that costs?  I'm just curious.

Re: How do .PDF viruses work? Where is a malware website?


Quoted text here. Click to load it

No idea.  But if one wants relatively inexpensive home owner's insurance  
that's the requirement.  It is set by new FEMA flood plain maps.  The zone  
then determines the minimum jacking height.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How do .PDF viruses work? Where is a malware website?

On Sun, 24 Feb 2013 12:14:07 -0500, David H. Lipman wrote:

Quoted text here. Click to load it
security-tools-services-downloads.html
Quoted text here. Click to load it

Hell! That second one looks a bit precarious to say the least!



--  
"I grabbed a pile of dust, and holding it up, foolishly asked for as many
birthdays as the grains of dust, I forgot to ask that they be years of  
youth. "
-Ovid (Publius Ovidius Naso (20 March 43 BC ? AD 17/18))

Re: How do .PDF viruses work? Where is a malware website?



Quoted text here. Click to load it

I can get an updated shot.

If you were to look at that building now you would see the building  
perimeter surrounded by a wall of cinder blocks with openings for the steel  
I-beams.


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How do .PDF viruses work? Where is a malware website?

On Sun, 24 Feb 2013 20:11:37 -0500, "David H. Lipman"
viruses work?  Where is a malware website?:

Quoted text here. Click to load it

Yes, it looks like the house will be sitting on the cement (I doubt
cinder) blocks and those blocks are no doubt resting on foundation
footing of proper size to hold the weight of the house.  That area
under the house will be a nice size "crawl" space when finished.

Re: How do .PDF viruses work? Where is a malware website?



Quoted text here. Click to load it

http://multi-av.thespykiller.co.uk/other/IMG_3918.jpg
http://multi-av.thespykiller.co.uk/other/IMG_3921.jpg


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How do .PDF viruses work? Where is a malware website?

On Mon, 25 Feb 2013 09:44:13 -0500, "David H. Lipman"
viruses work?  Where is a malware website?:

Quoted text here. Click to load it

Looks like it's being raised about 7'.

Re: How do .PDF viruses work? Where is a malware website?


Quoted text here. Click to load it

That was my questimate assuming the blocks are 8" and allowance for 1" for  
joint cement @ 9 courses.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How do .PDF viruses work? Where is a malware website?

After serious thinking David H. Lipman wrote :
Quoted text here. Click to load it

Thanks for the pictures. Glad you are okay, it took you quite a while  
to start posting again.



Re: How do .PDF viruses work? Where is a malware website?



Quoted text here. Click to load it

The reasons are many and complicated  ;-(

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: How do .PDF viruses work? Where is a malware website?

RayLopez99 wrote:  

Quoted text here. Click to load it
Acrobat Reader saying they are trying to close some potential security exploit
in reading PDF, but I've never heard of a PDF virus.  Anybody?  How would that
work?  Is there a link to one?  A newspaper article, not a malware website.

Why not a malware website?  

This has the latest .pdf threats and code samples:

http://www.malwaretracker.com/pdfthreat.php


Re: How do .PDF viruses work? Where is a malware website?

on 2/24/2013, G. Morgan supposed :
Quoted text here. Click to load it

ITHM he didn't want a landing page. :D



Re: How do .PDF viruses work? Where is a malware website?

On Sunday, February 24, 2013 5:33:03 PM UTC+2, G. Morgan wrote:
  
Quoted text here. Click to load it

Thanks G. Morgan.

As for Rafter and David H. Lipman's points, while they were good in theory,
 they did not really get into the mechanics of how a PDF downloader would w
ork.  But using my superior intellect I was able to answer this.    

For example, if you go to Adobe Preferences, then click on Trust Manager, y
ou can see the checkboxes (which are usually checked) "Allow Opening of non
-PDF file attachments with external applications".

If you check that checkbox, then your PDF can launch badware.  It's that si
mple.

Thanks to *me* for answering my *own* question.  And I don't pretend to be  
an "expert" like some people here, eh Rafter and DHL?  Ha ha ha.  You peopl
e amuse me almost as much as the fraud Dustbin, who claims to be a super-du
per hacker yet he cannot write a "HELLO WORLD" program.

Goodbye.

RL

Site Timeline