Leythos wrote:
>>>>> Perhaps the recent PDF malware can be detected without
>>>>> implimenting a complete PDF decoding/rendering engine.
>>>> The recent PDF SPAM run is *not* malware. It's just *SPAM*...
>>> Then you're just not seeing it with the tools you have. I've
>>> seen plenty listed as Generic.Peed.Eml by several products.
>> Don't you mean detected only by BitDefender(as generic)?.
>> Probably FP... Did you submit them to any other AV companies?
>> Virus Total? Jotti?
>> Recent change in Stock-Spam Tactics (PDF and excel):
>> http://isc.sans.org/diary.html?storyid=3177
The PDF examples I've seen from a week or two ago were for Chinese
stocks - which is strange given that the spam was in english (text,
not image-based). You'd think that the target audience for chinese
stock spam would be Asia (if not china/hongkong/taiwan) and would have
been in kanji.
"This group appears to target German stock market."
So was the spam in English, or German?
"You have also likely noted their shift in tactics from a simple
text message in the PDF over to encoded images in the PDF (to
foil pdf2text-like tools, I presume.)"
Why the reference to "pdf2text" convertor tools?
A statement like that raises the question as to whether or not the PDF
format is proprietary, even from an exploit or spam-detection point of
view.
> Nope, they were not detected as the above until last week,
> and most of them are still just PDF's without malware.
Any PDF's that were/are truly PDF (not exploits) wouldn't be flagged
by AV software or AV sites as malware. Doesn't matter if they're spam
or not.