kurt wismer

Virus Guy wrote:
> kurt wismer wrote:
>
>>> I've never seen PDF content being auto-rendered either as it's
>>> own page or as a component of page unlike other components of
>>> a typical web page (ie like html code, java script, JPG or
>>> GIF images, etc).
>>>
>>> In my experience, PDF material (PDF files) are always
>>> presented only as links that require the user to click on
>>> them in order to view them.
>>>
>>> What browser has the option of rendering PDF files
>>> "in-line" ?
>> again, round and round we go... the acrobat reader includes a
>> browser plugin that allows you to read pdf files right in your
>> browser...
>
> Why are you incapable of understanding a simple concept?
>
> I'm trying to point out to you that PDF code or PDF files are not
> automatically rendered in-line as a component of a web page and that
> they must be clicked on by the user in order to be rendered. That
> they can THEN be rendered within the browser by a plugin is
> irrelavent.

that pdf links have to be clicked on before the pdf can be rendered is
just as irrelevant... i have to click on links to websites to get them
to render too, so there is no difference from a user's perspective...

> I'll try to make this simple for you.
>
> If I view a web page that contains code to display a graphic bitmap
> (say, a jpeg or gif file) I will see the bitmap when I view the web
> page. I will NOT see a link to the bitmap that requires me to click
> on it to see it (unless that's how the web-author wants it to work).
>
> In contrast, PDF files are never rendered "in-line", automatically, as
> part of webpage content like a gif or jpeg bitmap.

no page is rendered automatically except your home page, ever other page
is one you arrive at by clicking somewhere or typing in a url...
conventional web pages and pdf's are identical in this behaviour...

>> so you choose to believe that spam 'users' are less likely to
>> be pdf 'users' to a significant enough degree to make this
>> distinction worth pursuing...
>
> The home PC is common enough to be used by a wide range of people for
> a wide range of reasons. When we dissect and analyze things at this
> level, in the absense of other information, if I just had something as
> basic as the presence or absense of an installed pdf reader, if I had
> to form an opinion as to who is more likely to be spam-friendly, I
> would say it's the people without a PDF reader installed.

once again i say you're reading too much into things... i see no reason
to make the correlation you're making here between the absence of a pdf
reader and the likelihood of responding to spam... if that is what your
gut is telling you then fine, but i don't trust your gut...

>> somehow spam 'users' don't need government forms or product
>> documentation or any of those other things that require a
>> pdf viewer...
>
> Perhaps those people are kids or teenagers with PC's in their
> bedrooms.

yeah, because kids (who are generally lauded as being *more* savvy than
their parents) are the spam users...

> Perhaps they're senior citizens who have their kids do
> their taxes for them.

there's more to government forms than just taxes...

> I would expect (more often than not) both
> groups to not have PDF readers installed on their computers (unless it
> came pre-installed on them anyways).

i would expect kids (teenagers especially) to have pdf readers in order
to read papers they need to read to do homework and school projects...
did i neglect to mention that pdf's are used a lot for research papers too?

> I would expect both groups to be
> more naive when it comes to spam as opposed to other groups - more
> likely to at least open and read it.

i don't see any reason to make age-based correlations with spam use...
experience-based correlations, perhaps (people who are new to the
internet are more likely to open spam than those who have been using it
frequently for 6+ months), but not age-based ones...

>> i think you're reading too much into the fact that they
>> respond to spam... i see no reason why they should be
>> significantly different from the average user as far as
>> pdf reader deployment goes...
>
> If the lack of an installed PDF reader on a system is an indication of
> a new or novice computer user,

a new or novice computer user may very well have a system where a pdf
reader is pre-installed because 'dude, you got a dell'...

a new or novice computer user is more likely to have gotten a system
pre-loaded with all kinds of things s/he doesn't need precisely because
they're novices...

[snip]
> I think we agree that resorting to the PDF format may be better (in
> the short term) for spammers to get their spam through to end users,
> but it's not a desirable format to insure they actually see the
> payload.

given all the various obfuscation techniques that have been used in the
past, do you really think the spammers care that much about optimizing
readability?

> I'm going an extra step by saying that systems with PDF readers on
> them are more likely to be owned and operated by those that are (even
> slightly) more likely to recognize and delete spam without even
> reading it.

and those that bought from dell (or any other company that pre-loads
lots of 'useful' things to add value for the consumer)...

>>> Arguably Google has played a role in making the PDF
>>> format more common and exposing it to more people by
>>> presenting PDF material in it's search results.
>> true, but it generally allows the user to 'view as html'
>> and as such doesn't necessarily drive people to install
>> pdf readers...
>
> I guess you like to argue with everything I say?
>
> Fine. Here's a counter-argument.
>
> The "view as html" is a very poor substitute vs viewing the original
> PDF document, so I wouldn't expect a given user to persistently view
> PDF files as html for very long before deciding to install a PDF
> reader.

i persistently use the view as html option, but i also persistently use
the view cache option as well... why? because then my search terms are
automagically highlighted for me...

if someone doesn't have a pdf reader installed and had the choice of
clicking on the view as html option or installing a pdf reader and then
clicking the search result, i would guess most would click on the view
as html option because it requires less clicks and less work... are they
missing something by not using a real pdf reader? sure, but they aren't
likely to know they're missing something because they aren't frequent
enough consumers of pdf documents to have a pdf reader installed...

>> the fact that it is a common format for many useful or
>> important documents means that many people are going to
>> be users...
>
> So what are you saying?
>
> That the number of systems currently without an installed PDF reader
> is zero?

now who's embellishing?

>> the fact that it has such a wide variety of uses means
>> that it will have a broad pool of users
>
> You're now arguing that a PDF reader is likely to be installed on the
> majority of systems. I'm not disputing that. I would tend to agree,
> and the fact that it comes pre-installed by some large vendors
> certainly helps that argument.
>
> But I'm betting that there are systems out there that don't have it
> installed.

and i'm betting that at least one bear shits in the woods...

of course there are systems that don't have it, but the correlations
you're making between not having it and responding to spam don't seem
well founded to me...

[snip]
>>> Clearly this conversation pertains to situations (or the
>>> implications) of a PDF reader NOT being pre-installed by
>>> a vendor,
>> no, clearly this conversation pertains to how *insignificant*
>> those situations are to the spammer...
>
> Isin't that an implication of whether or not a PDF reader is installed
> (by the vendor)? Which is what I said above, to which you answered
> "no" ?

no, and the reason is because you keep tying it exclusively to
pre-installation of the reader... you refuse to acknowledge the
possibility that pre-installation might be a non-sequitur in this case...

many sites that link to pdf documents link to the acrobat reader on the
same page to help the newbies and that drives user installation rates...

>> the spammer chooses a format that will get his message into
>> as many inboxes as possible ...
>
> That, and the rest of that paragraph, is mostly obvious.
>
> I don't buy the argument that PDF spam has a "clickability" advantage
> that makes it (even slightly) more likely for the average reader to
> open it just because it's a pdf. If that were true, we would be
> seeing more executable attachments masquerading as PDF attachments.

just because it hasn't happened yet doesn't mean it won't...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Dustin Cook

Virus Guy <Virus@Guy.com> wrote in news:46C5A627.95A23F@Guy.com:

> kurt wismer wrote:
>
>> >>> How many mass-market PC's (Dell, Gateway, etc) come with
>> >>> Acrobat installed? (just wondering)
>
>> >> acrobat is a program that *A LOT* of people install after
>> >> getting their computers
>
>> > No shit sherlock. That's not the answer to my question.
>
>> because the question illustrates what emerson ....
>
> The question stands on it's own and is separate from the implications
> of it's answer.
>
>> foolish consistency...
>
> Which you exhibit constantly.
>
>> and the point i'm making is that acrobat is virtually standard
>> *in spite* of not necessarily coming pre-installed...
>
> PDF's are still an ergonomically poor way to convey spam payload given
> the lack of automatic rendering. They may be in use now because the
> PDF format is somewhat proprietary. Commercial server and client-side
> filter software may not have permission or the license from Adobe to
> impliment PDF decoding routines that are necessary for content
> inspection (but you would think it would be in Adobe's best interest
> to provide it to them gratis).

Actually, there are various open source pdf readers and writers. Adobe
has no licensing issues with this as far as I know. They wanted pdf to be
adopted, and so it has.

>> spammers have always had a poor penetration rate with their
>> advertisements... if the new obfuscation reduces it they'll
>> just do what they've always done - make it up on volume...
>
> Volume is not necessarily something they can increase when-ever they
> want. Presumably they are always operating at 100% of their volume
> capability anyways.

Bad assumption. Network congestion, etc may play a big role in it. I
don't know anybody who runs the server/bandwidth trunk at max fulltime.

>> > DNSRBL's do exactly that. They blacklist IP addresses.
>> > Individual IP addresses.
>>
>> yeah, that's real useful in the dynamic ip world of home
>> users where most zombies are found...
>
> If you want to run an RBL that people will use and trust not to give
> them false positives, you have no choice but to track spam sources at
> the individual IP level. I believe that there are RBL's that will
> return the status of an IP (whether it lies in a static or dynamic
> range assignment, or whether it belongs to a residential ISP) which a
> mail server can use as the basis to block mail from said IP.

However, the mail server can be given the wrong information. The IP isn't
set in stone. Case in point, A mail server I run here strips all
originating IP's when you send a message thru it. Various others may be
setup in a similiar fashion. If anything, you'd get the servers IP, not
that of it's users.

>> >> isp's try to stomp out the zombies on their networks
>> >
>> > These days, few if any ISP's do that.
>>
>> in my part of the world they do...
>
> Then why don't they block port-25 on their outbound? Why are the big
> US cable and telco providers of residential internet service still the
> biggest sources of trojanized spam bots? If they don't block port-25,

What gives them or you the right to block outbound ports? I'm paying for
unlimited access. If I want to run a server, I will. Various ISPs allow
this. The reason so many residential machines are the trojanized spam
bots is due to the sheer amount of ignorant users who for whatever
reason, won't heed the advice that's been offered for years. If I caught
my ISP blocking any of my incoming/outgoing connections, I'd drop them in
a heartbeat; and they know it.

If i was on dialup, I'd have no real need to run a server. But I'm on
broadband, and I don't need broadband just to surf the web or download
things. I use it for work as well. I like highspeed access to my network
at home from anywhere I might happen to be, and that requires outbound
communication.

If you let them start blocking port 25 to protect users, they might start
blocking other commonly used ports to "protect users". Ie, your yahoo
client no longer works, but your msn one does. This wouldn't be good for
anybody.

> why can't they at least detect spam runs as they happen, and put rate
> limits on them? Why can't they detect a spam run in progress by
> looking for inordinate amounts of MX lookups being made by an infected
> customer?

How can they tell the difference between a spam bot, or an email server
processing a large legitimate mailing list?

> What exactly does a given ISP do when they learn about spam being
> emitted by one of their several-million customers? Do they call the
> customer? Send them an e-mail? Perform an on-site service call?
> Please explain what happens in your part of the world.

The ISP here doesn't do very much. They will send you an email to your
isp email account; that hardly anyone actually sets up to use. If the
problem isn't resolved, your cable modem goes down and you wind up
calling them to see what the problem is. At that point, they tell you
your computer has a problem and it has to be checked out by a
technician/store and then you have to show them you had this done. Then
they turn your connection back on. They do not attempt to educate the
user so that this doesn't happen again.

As an experiment, 1 year ago, I had a computer here ping flood a machine
at another site for over 4 days before the cable co noticed this.
Luckily I had permission to do this, but thats just an example of how
concerned they are.




--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

Dustin Cook

Virus Guy <Virus@Guy.com> wrote in news:46C8676A.F67502BF@Guy.com:

> Fenton wrote:
>
>> I'm pretty certain the PDF specification is open to the public.
>
> But do AV vendors have the ability to incorporate PDF decoding
> routines into their software without paying Adobe for a license fee?
>

I'm sure they do. The format is open, anybody can write a util to
read/write the file. Do a google search sometime, you might learn a thing
or two.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

Dustin Cook

Leythos <void@nowhere.lan> wrote in
news:MPG.2133b08e8e32469f98992b@adfree.Usenet.com:

> In article <Hhlyi.38215$pu2.31654@bignews1.bellsouth.net>,
> jen@example.com says...
>> "Virus Guy" <Virus@Guy.com> wrote in message
>> news:46C8FED8.193F48A8@Guy.com...
>> > Leythos wrote:
>> >> Our email filtering system, GFI Mail Essentials and Security
>> >> catches the malware in them, and they don't appear to be
>> >> licensed with Adobe.
>> > Perhaps the recent PDF malware can be detected without implimenting a
>> > complete PDF decoding/rendering engine.
>>
>> The recent PDF SPAM run is *not* malware. It's just *SPAM*...
>
> Then you're just not seeing it with the tools you have. I've seen plenty
> listed as Generic.Peed.Eml by several products.
>
>

And if you examine the file, it's not really a pdf at all; It's a renamed
executable.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

Dustin Cook

Virus Guy <Virus@Guy.com> wrote in news:46CA1D2C.611A6565@Guy.com:

> Leythos wrote:
>
>>>>>> Perhaps the recent PDF malware can be detected without
>>>>>> implimenting a complete PDF decoding/rendering engine.
>
>>>>> The recent PDF SPAM run is *not* malware. It's just *SPAM*...
>
>>>> Then you're just not seeing it with the tools you have. I've
>>>> seen plenty listed as Generic.Peed.Eml by several products.
>
>>> Don't you mean detected only by BitDefender(as generic)?.
>>> Probably FP... Did you submit them to any other AV companies?
>>> Virus Total? Jotti?
>>> Recent change in Stock-Spam Tactics (PDF and excel):
>>> http://isc.sans.org/diary.html?storyid=3177
>
> The PDF examples I've seen from a week or two ago were for Chinese
> stocks - which is strange given that the spam was in english (text,
> not image-based). You'd think that the target audience for chinese
> stock spam would be Asia (if not china/hongkong/taiwan) and would have
> been in kanji.
>
> "This group appears to target German stock market."
>
> So was the spam in English, or German?
>
> "You have also likely noted their shift in tactics from a simple
> text message in the PDF over to encoded images in the PDF (to
> foil pdf2text-like tools, I presume.)"
>
> Why the reference to "pdf2text" convertor tools?
>
> A statement like that raises the question as to whether or not the PDF
> format is proprietary, even from an exploit or spam-detection point of
> view.

Cripes...
http://www.adobe.com/products/acrobat/adobepdf.html

Now quit saying it's proprietary.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

Dustin Cook

Virus Guy <Virus@Guy.com> wrote in news:46C5A627.95A23F@Guy.com:

> kurt wismer wrote:
>
>> >>> How many mass-market PC's (Dell, Gateway, etc) come with
>> >>> Acrobat installed? (just wondering)
>
>> >> acrobat is a program that *A LOT* of people install after
>> >> getting their computers
>
>> > No shit sherlock. That's not the answer to my question.
>
>> because the question illustrates what emerson ....
>
> The question stands on it's own and is separate from the implications
> of it's answer.
>
>> foolish consistency...
>
> Which you exhibit constantly.
>
>> and the point i'm making is that acrobat is virtually standard
>> *in spite* of not necessarily coming pre-installed...
>
> PDF's are still an ergonomically poor way to convey spam payload given
> the lack of automatic rendering. They may be in use now because the
> PDF format is somewhat proprietary. Commercial server and client-side
> filter software may not have permission or the license from Adobe to
> impliment PDF decoding routines that are necessary for content
> inspection (but you would think it would be in Adobe's best interest
> to provide it to them gratis).
>
>> spammers have always had a poor penetration rate with their
>> advertisements... if the new obfuscation reduces it they'll
>> just do what they've always done - make it up on volume...
>
> Volume is not necessarily something they can increase when-ever they
> want. Presumably they are always operating at 100% of their volume
> capability anyways.
>
>> > DNSRBL's do exactly that. They blacklist IP addresses.
>> > Individual IP addresses.
>>
>> yeah, that's real useful in the dynamic ip world of home
>> users where most zombies are found...
>
> If you want to run an RBL that people will use and trust not to give
> them false positives, you have no choice but to track spam sources at
> the individual IP level. I believe that there are RBL's that will
> return the status of an IP (whether it lies in a static or dynamic
> range assignment, or whether it belongs to a residential ISP) which a
> mail server can use as the basis to block mail from said IP.
>
>> >> isp's try to stomp out the zombies on their networks
>> >
>> > These days, few if any ISP's do that.
>>
>> in my part of the world they do...
>
> Then why don't they block port-25 on their outbound? Why are the big
> US cable and telco providers of residential internet service still the
> biggest sources of trojanized spam bots? If they don't block port-25,

Where do you get this information from? Much spam I find isn't from the
usa at all.



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

Fenton

On Aug 19, 2007, Virus Guy wrote:
> Fenton wrote:
>
>> I'm pretty certain the PDF specification is open to the public.
>
> But do AV vendors have the ability to incorporate PDF decoding
> routines into their software without paying Adobe for a license fee?

Yes.

Fenton

On Aug 21, 2007, Virus Guy wrote:
>
> What browser has the option of rendering PDF files "in-line" ?
>

Safari for Macintosh, at least.

Fenton

On Aug 22, 2007, kurt wismer wrote:
>> I'm trying to point out to you that PDF code or PDF files are not
>> automatically rendered in-line as a component of a web page and that
>> they must be clicked on by the user in order to be rendered. That
>> they can THEN be rendered within the browser by a plugin is
>> irrelavent.
>
> that pdf links have to be clicked on before the pdf can be rendered is
> just as irrelevant... i have to click on links to websites to get them
> to render too, so there is no difference from a user's perspective...
>

I think Virus Guy was trying to say this: Sure there is, because you can't
wrap anything around it. One click can take you to a page with text and an
image ... OR a link to a PDF that opens in it's own "page" ... but you can't
single to a page with text and have a PDF appear on that page. You might have
a link to a PDF, but not the PDF itself."

Then, Kurt said well, you gotta click anyway....

But both of you are wrong, of sorts: You can indeed embed a PDF. It's just
that no one does it, and some browsers show you only the first page.

kurt wismer

sorry for the late reply, i haven't been giving myself a lot of time to
do much outside of home reno...

Fenton wrote:
> On Aug 22, 2007, kurt wismer wrote:
>>> I'm trying to point out to you that PDF code or PDF files are not
>>> automatically rendered in-line as a component of a web page and that
>>> they must be clicked on by the user in order to be rendered. That
>>> they can THEN be rendered within the browser by a plugin is
>>> irrelavent.
>> that pdf links have to be clicked on before the pdf can be rendered is
>> just as irrelevant... i have to click on links to websites to get them
>> to render too, so there is no difference from a user's perspective...
>>
>
> I think Virus Guy was trying to say this: Sure there is, because you can't
> wrap anything around it. One click can take you to a page with text and an
> image ... OR a link to a PDF that opens in it's own "page" ... but you can't
> single to a page with text and have a PDF appear on that page. You might have
> a link to a PDF, but not the PDF itself."

not to put too fine a point on it, but the user doesn't know anything
about wrapping content around other content... you're thinking like a
developer...

> Then, Kurt said well, you gotta click anyway....
>
> But both of you are wrong, of sorts: You can indeed embed a PDF. It's just
> that no one does it, and some browsers show you only the first page.

you'd still have to click on a link to take you to the page where it's
embedded...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"