jen

"Virus Guy" <Virus@Guy.com> wrote in message
news:46C8FED8.193F48A8@Guy.com...
> Leythos wrote:
>> Our email filtering system, GFI Mail Essentials and Security
>> catches the malware in them, and they don't appear to be
>> licensed with Adobe.
> Perhaps the recent PDF malware can be detected without implimenting a
> complete PDF decoding/rendering engine.

The recent PDF SPAM run is *not* malware. It's just *SPAM*...

-jen

Leythos

In article <Hhlyi.38215$pu2.31654@bignews1.bellsouth.net>,
jen@example.com says...
> "Virus Guy" <Virus@Guy.com> wrote in message
> news:46C8FED8.193F48A8@Guy.com...
> > Leythos wrote:
> >> Our email filtering system, GFI Mail Essentials and Security
> >> catches the malware in them, and they don't appear to be
> >> licensed with Adobe.
> > Perhaps the recent PDF malware can be detected without implimenting a
> > complete PDF decoding/rendering engine.
>
> The recent PDF SPAM run is *not* malware. It's just *SPAM*...

Then you're just not seeing it with the tools you have. I've seen plenty
listed as Generic.Peed.Eml by several products.


--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

jen

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2133b08e8e32469f98992b@adfree.Usenet.com. ..
> In article <Hhlyi.38215$pu2.31654@bignews1.bellsouth.net>,
> jen@example.com says...
>> "Virus Guy" <Virus@Guy.com> wrote in message
>> news:46C8FED8.193F48A8@Guy.com...
>> > Leythos wrote:
>> >> Our email filtering system, GFI Mail Essentials and Security
>> >> catches the malware in them, and they don't appear to be
>> >> licensed with Adobe.
>> > Perhaps the recent PDF malware can be detected without implimenting
>> > a
>> > complete PDF decoding/rendering engine.
>> The recent PDF SPAM run is *not* malware. It's just *SPAM*...
> Then you're just not seeing it with the tools you have. I've seen
> plenty
> listed as Generic.Peed.Eml by several products.

Don't you mean detected only by BitDefender(as generic)?. Probably
FP... Did you submit them to any other AV companies? Virus Total?
Jotti?
Recent change in Stock-Spam Tactics (PDF and excel):
http://isc.sans.org/diary.html?storyid=3177

-jen

Leythos

In article <hGmyi.39465$pu2.35719@bignews1.bellsouth.net>,
jen@example.com says...
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.2133b08e8e32469f98992b@adfree.Usenet.com. ..
> > In article <Hhlyi.38215$pu2.31654@bignews1.bellsouth.net>,
> > jen@example.com says...
> >> "Virus Guy" <Virus@Guy.com> wrote in message
> >> news:46C8FED8.193F48A8@Guy.com...
> >> > Leythos wrote:
> >> >> Our email filtering system, GFI Mail Essentials and Security
> >> >> catches the malware in them, and they don't appear to be
> >> >> licensed with Adobe.
> >> > Perhaps the recent PDF malware can be detected without implimenting
> >> > a
> >> > complete PDF decoding/rendering engine.
> >> The recent PDF SPAM run is *not* malware. It's just *SPAM*...
> > Then you're just not seeing it with the tools you have. I've seen
> > plenty
> > listed as Generic.Peed.Eml by several products.
>
> Don't you mean detected only by BitDefender(as generic)?. Probably
> FP... Did you submit them to any other AV companies? Virus Total?
> Jotti?
> Recent change in Stock-Spam Tactics (PDF and excel):
> http://isc.sans.org/diary.html?storyid=3177

Nope, they were not detected as the above until last week, and most of
them are still just PDF's without malware. Only certain ones are malware
carriers - taking advantage of some new PDF exploit that I read about a
couple weeks ago.


--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

Virus Guy

Leythos wrote:

>>>>> Perhaps the recent PDF malware can be detected without
>>>>> implimenting a complete PDF decoding/rendering engine.

>>>> The recent PDF SPAM run is *not* malware. It's just *SPAM*...

>>> Then you're just not seeing it with the tools you have. I've
>>> seen plenty listed as Generic.Peed.Eml by several products.

>> Don't you mean detected only by BitDefender(as generic)?.
>> Probably FP... Did you submit them to any other AV companies?
>> Virus Total? Jotti?
>> Recent change in Stock-Spam Tactics (PDF and excel):
>> http://isc.sans.org/diary.html?storyid=3177

The PDF examples I've seen from a week or two ago were for Chinese
stocks - which is strange given that the spam was in english (text,
not image-based). You'd think that the target audience for chinese
stock spam would be Asia (if not china/hongkong/taiwan) and would have
been in kanji.

"This group appears to target German stock market."

So was the spam in English, or German?

"You have also likely noted their shift in tactics from a simple
text message in the PDF over to encoded images in the PDF (to
foil pdf2text-like tools, I presume.)"

Why the reference to "pdf2text" convertor tools?

A statement like that raises the question as to whether or not the PDF
format is proprietary, even from an exploit or spam-detection point of
view.

> Nope, they were not detected as the above until last week,
> and most of them are still just PDF's without malware.

Any PDF's that were/are truly PDF (not exploits) wouldn't be flagged
by AV software or AV sites as malware. Doesn't matter if they're spam
or not.

jen

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2133c5ca8369375298992f@adfree.Usenet.com. ..
> In article <hGmyi.39465$pu2.35719@bignews1.bellsouth.net>,
> jen@example.com says...
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.2133b08e8e32469f98992b@adfree.Usenet.com. ..
>> > In article <Hhlyi.38215$pu2.31654@bignews1.bellsouth.net>,
>> > jen@example.com says...
>> >> "Virus Guy" <Virus@Guy.com> wrote in message
>> >> news:46C8FED8.193F48A8@Guy.com...
>> >> > Leythos wrote:
>> >> >> Our email filtering system, GFI Mail Essentials and Security
>> >> >> catches the malware in them, and they don't appear to be
>> >> >> licensed with Adobe.
>> >> > Perhaps the recent PDF malware can be detected without
>> >> > implimenting
>> >> > a complete PDF decoding/rendering engine.
>> >> The recent PDF SPAM run is *not* malware. It's just *SPAM*...
>> > Then you're just not seeing it with the tools you have. I've seen
>> > plenty listed as Generic.Peed.Eml by several products.
>> Don't you mean detected only by BitDefender(as generic)?. Probably
>> FP... Did you submit them to any other AV companies? Virus Total?
>> Jotti?
>> Recent change in Stock-Spam Tactics (PDF and excel):
>> http://isc.sans.org/diary.html?storyid=3177
> Nope, they were not detected as the above until last week, and most of
> them are still just PDF's without malware. Only certain ones are
> malware
> carriers - taking advantage of some new PDF exploit that I read about
> a
> couple weeks ago.

Could you elaborate(and provide a cite) on this "new PDF exploit" you
read about a couple weeks ago that this so-called malware that only
BitDefender detects(generically) takes advantage of? The last PDF
vulnerability AFAIK was reported in January ...
Adobe Reader/Acrobat Multiple Vulnerabilities:
http://secunia.com/advisories/23483/...ated=1#related

-jen

Leythos

In article <6bqyi.19468$Lu.9500@bignews8.bellsouth.net>, jen@example.com
says...
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.2133c5ca8369375298992f@adfree.Usenet.com. ..
> > In article <hGmyi.39465$pu2.35719@bignews1.bellsouth.net>,
> > jen@example.com says...
> >> "Leythos" <void@nowhere.lan> wrote in message
> >> news:MPG.2133b08e8e32469f98992b@adfree.Usenet.com. ..
> >> > In article <Hhlyi.38215$pu2.31654@bignews1.bellsouth.net>,
> >> > jen@example.com says...
> >> >> "Virus Guy" <Virus@Guy.com> wrote in message
> >> >> news:46C8FED8.193F48A8@Guy.com...
> >> >> > Leythos wrote:
> >> >> >> Our email filtering system, GFI Mail Essentials and Security
> >> >> >> catches the malware in them, and they don't appear to be
> >> >> >> licensed with Adobe.
> >> >> > Perhaps the recent PDF malware can be detected without
> >> >> > implimenting
> >> >> > a complete PDF decoding/rendering engine.
> >> >> The recent PDF SPAM run is *not* malware. It's just *SPAM*...
> >> > Then you're just not seeing it with the tools you have. I've seen
> >> > plenty listed as Generic.Peed.Eml by several products.
> >> Don't you mean detected only by BitDefender(as generic)?. Probably
> >> FP... Did you submit them to any other AV companies? Virus Total?
> >> Jotti?
> >> Recent change in Stock-Spam Tactics (PDF and excel):
> >> http://isc.sans.org/diary.html?storyid=3177
> > Nope, they were not detected as the above until last week, and most of
> > them are still just PDF's without malware. Only certain ones are
> > malware
> > carriers - taking advantage of some new PDF exploit that I read about
> > a
> > couple weeks ago.
>
> Could you elaborate(and provide a cite) on this "new PDF exploit" you
> read about a couple weeks ago that this so-called malware that only
> BitDefender detects(generically) takes advantage of? The last PDF
> vulnerability AFAIK was reported in January ...
> Adobe Reader/Acrobat Multiple Vulnerabilities:
> http://secunia.com/advisories/23483/...ated=1#related

Nope, just surfing and read about it, didn't bookmark it or even care
where, sorry. As for the BitDefender, I can only say that few of the
other AV solutions have alerted on the new ones, but we still see both,
so there must be some difference in the PDF's - I'm not about to let one
through to play with it

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

jen

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2133f9cc76e90022989937@adfree.Usenet.com. ..
[snip]
>> Could you elaborate(and provide a cite) on this "new PDF exploit"
>> you
>> read about a couple weeks ago that this so-called malware that only
>> BitDefender detects(generically) takes advantage of? The last PDF
>> vulnerability AFAIK was reported in January ...
>> Adobe Reader/Acrobat Multiple Vulnerabilities:
>> http://secunia.com/advisories/23483/...ated=1#related
> Nope, just surfing and read about it, didn't bookmark it or even care
> where, sorry. As for the BitDefender, I can only say that few of the
> other AV solutions have alerted on the new ones, but we still see
> both,
> so there must be some difference in the PDF's - I'm not about to let
> one
> through to play with it

And what other AVs besides BitDefender has reported them as malware, and
as what?

-jen

Leythos

In article <prqyi.19484$Lu.18380@bignews8.bellsouth.net>,
jen@example.com says...
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.2133f9cc76e90022989937@adfree.Usenet.com. ..
> [snip]
> >> Could you elaborate(and provide a cite) on this "new PDF exploit"
> >> you
> >> read about a couple weeks ago that this so-called malware that only
> >> BitDefender detects(generically) takes advantage of? The last PDF
> >> vulnerability AFAIK was reported in January ...
> >> Adobe Reader/Acrobat Multiple Vulnerabilities:
> >> http://secunia.com/advisories/23483/...ated=1#related
> > Nope, just surfing and read about it, didn't bookmark it or even care
> > where, sorry. As for the BitDefender, I can only say that few of the
> > other AV solutions have alerted on the new ones, but we still see
> > both,
> > so there must be some difference in the PDF's - I'm not about to let
> > one
> > through to play with it
>
> And what other AVs besides BitDefender has reported them as malware, and
> as what?

I think that KAP picked up on a PDF in a users PST file (not one of our
customers, a friend of a friend that brought their computer over for me
to look at), but I don't have it or the report with me now...

Sorry, when it comes to most of this crap I don't even bother looking
past the reject logs, to many years of trying to determine what they
wanted it to do and just getting old and not caring any more.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Learn more about PCBUTTS1 and his antics and ethic and his perversion
with Porn and Filth. Just take a look at some of the FILTH he's created
and put on his website: http://www.webservertalk.com/message1907860.html
3rd link shows what he's exposed to children (the link I've include does
not directly display his filth). You can find the same information by
googling for 'PCBUTTS1' and 'exposed to kids'.

jen

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2133fe81b606e77e989939@adfree.Usenet.com. ..
> In article <prqyi.19484$Lu.18380@bignews8.bellsouth.net>,
> jen@example.com says...
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.2133f9cc76e90022989937@adfree.Usenet.com. ..
>> [snip]
>> >> Could you elaborate(and provide a cite) on this "new PDF exploit"
>> >> you
>> >> read about a couple weeks ago that this so-called malware that
>> >> only
>> >> BitDefender detects(generically) takes advantage of? The last PDF
>> >> vulnerability AFAIK was reported in January ...
>> >> Adobe Reader/Acrobat Multiple Vulnerabilities:
>> >> http://secunia.com/advisories/23483/...ated=1#related
>> > Nope, just surfing and read about it, didn't bookmark it or even
>> > care
>> > where, sorry. As for the BitDefender, I can only say that few of
>> > the
>> > other AV solutions have alerted on the new ones, but we still see
>> > both,
>> > so there must be some difference in the PDF's - I'm not about to
>> > let
>> > one
>> > through to play with it
>> And what other AVs besides BitDefender has reported them as malware,
>> and
>> as what?
> I think that KAP picked up on a PDF in a users PST file (not one of
> our
> customers, a friend of a friend that brought their computer over for
> me
> to look at), but I don't have it or the report with me now...
> Sorry, when it comes to most of this crap I don't even bother looking
> past the reject logs, to many years of trying to determine what they
> wanted it to do and just getting old and not caring any more.

So you don't really have anything(other than the BitDefender generic
catch) to back up your statement that the PDF SPAM runs are anything
other than SPAM. You didn't even submit the suspects to Virus Total or
Jotti. hmmm... not very convincing

-jen