Re: PDF files containing executables?

[John Hardin]

On Thu, 3 Mar 2016, David B Funk wrote:


On Thu, 3 Mar 2016, John Hardin wrote:


 On Thu, 3 Mar 2016, Dianne Skoll wrote:

>  However, many legitimate PDF files contain Javascript snippets. 
>  Blocking solely on that basis will lead to many FPs.


 I'd argue the "legitimate" part of that statement... :)


Many editable PDF forms use javascript for input validation, like most of the 
PDF forms you can download from irs.gov. (I'm not going to get in an argument 
with you about how "legitimate" the IRS is ;)


That's about the only legitimate use I can think of, and surely that can 
be done by less than a full programming language.



 Sounds to me like it should be: block any PDF with javascript/flash/java
 with whitelisted bypass.

 What sane MTA accepts bare executable attachments from the Internet at
 large any more? The same policy should apply to PDFs.


Don't tell me you've never seen HTML e-mail with embedded javascript?


Seen it? Yes. Defang it? Also yes.


Some content creators think that e-mail should be a full-fledged HTML page.


/me kicks sigmonster...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  End users want eye candy and the "ooo's and hhh's" experience
  when reading mail. To them email isn't a tool, but an entertainment
  form. -- Steve Lake
---
 10 days until Albert Einstein's 137th Birthday

Re: PDF files containing executables?

[David B Funk]

On Thu, 3 Mar 2016, John Hardin wrote:


On Thu, 3 Mar 2016, Dianne Skoll wrote:


On Thu, 3 Mar 2016 13:03:44 -0800
Marc Perkel  wrote:


Thanks for the response. I'm in the spam filtering business and I'm
wondering what I can use (from the command line?) to detect if a PDF
has any kind of script attached that would be executable. that way I
might block based on what's embedded in a PDF.


There are tools.  Google is your friend.

However, many legitimate PDF files contain Javascript snippets.  Blocking
solely on that basis will lead to many FPs.


I'd argue the "legitimate" part of that statement... :)


Many editable PDF forms use javascript for input validation, like most of the 
PDF forms you can download from irs.gov. (I'm not going to get in an argument 
with you about how "legitimate" the IRS is ;)


Sounds to me like it should be: block any PDF with javascript/flash/java with 
whitelisted bypass.


What sane MTA accepts bare executable attachments from the Internet at large 
any more? The same policy should apply to PDFs.


Don't tell me you've never seen HTML e-mail with embedded javascript?
Some content creators think that e-mail should be a full-fledged HTML page.

--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: PDF files containing executables?

[David B Funk]

On Thu, 3 Mar 2016, Dianne Skoll wrote:


On Thu, 3 Mar 2016 13:27:18 -0800 (PST)
John Hardin  wrote:

[Dianne Skoll]


However, many legitimate PDF files contain Javascript snippets.
Blocking solely on that basis will lead to many FPs.



I'd argue the "legitimate" part of that statement... :)


Well, maybe, but I think you'd lose that argument if you had to proved
service to the clients we do.


Sounds to me like it should be: block any PDF with
javascript/flash/java with whitelisted bypass.


If we did that, we'd have hundreds of support tickets pouring in... trust
me on this.  At least wrt Javascript.  Not sure about Flash and I had no
idea Java could be embedded in PDF... are you sure that's even possible?


I didn't think that a pure ".exe" could be embedded in PDF until I ran accross
this little gem: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
(not sure if that vulerability is still there, but people hang onto old systems
for a looong time...)


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: PDF files containing executables?

[Reindl Harald]

Am 03.03.2016 um 23:17 schrieb Benny Pedersen:

Users should disable javascript or entirely remove software that support
stupidity


welcome to the real world




signature.asc
Description: OpenPGP digital signature

Re: PDF files containing executables?

[Benny Pedersen]

On 3. mar. 2016 21.26.05 Marc Perkel  wrote:


A customer of mine inquired about executable viruses inside of PDF
files. Is that so? And if it is - is there any way of detecting
executables inside of PDF?


Google harafa

You need to understand jit, each pdf file can contain a mta sending spam

Users should disable javascript or entirely remove software that support 
stupidity

Re: PDF files containing executables?

[John Hardin]

On Thu, 3 Mar 2016, John Hardin wrote:


On Thu, 3 Mar 2016, Dianne Skoll wrote:


 I had no idea Java could be embedded in PDF... are you sure that's even
 possible?


No idea either, I was just including it because it was mentioned upthread, 
and greater insanities have happened.


I'm not finding anything that specifically says Java can be embedded and 
executed, but PDFs apparently do have the ability to run commands if the 
user clicks OK in a dialog.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #2: Anything worth shooting is worth
  shooting twice. Ammo is cheap. Your life is expensive.
---
 10 days until Albert Einstein's 137th Birthday

Re: PDF files containing executables?

[John Hardin]

On Thu, 3 Mar 2016, Dianne Skoll wrote:

I had no idea Java could be embedded in PDF... are you sure that's even 
possible?


No idea either, I was just including it because it was mentioned upthread, 
and greater insanities have happened.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #2: Anything worth shooting is worth
  shooting twice. Ammo is cheap. Your life is expensive.
---
 10 days until Albert Einstein's 137th Birthday

Re: PDF files containing executables?

[Marc Perkel]

On 03/03/16 13:27, John Hardin wrote:

On Thu, 3 Mar 2016, Dianne Skoll wrote:


On Thu, 3 Mar 2016 13:03:44 -0800
Marc Perkel  wrote:


Thanks for the response. I'm in the spam filtering business and I'm
wondering what I can use (from the command line?) to detect if a PDF
has any kind of script attached that would be executable. that way I
might block based on what's embedded in a PDF.


There are tools.  Google is your friend.

However, many legitimate PDF files contain Javascript snippets. Blocking
solely on that basis will lead to many FPs.


I'd argue the "legitimate" part of that statement... :)

Sounds to me like it should be: block any PDF with 
javascript/flash/java with whitelisted bypass.


What sane MTA accepts bare executable attachments from the Internet at 
large any more? The same policy should apply to PDFs.





If I could detect java or some other executable inside a PDF then the 
message would have to be white or near white before I allowed it to pass.


--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: PDF files containing executables?

[Dianne Skoll]

On Thu, 3 Mar 2016 13:27:18 -0800 (PST)
John Hardin  wrote:

[Dianne Skoll]

> > However, many legitimate PDF files contain Javascript snippets.
> > Blocking solely on that basis will lead to many FPs.

> I'd argue the "legitimate" part of that statement... :)

Well, maybe, but I think you'd lose that argument if you had to proved
service to the clients we do.

> Sounds to me like it should be: block any PDF with
> javascript/flash/java with whitelisted bypass.

If we did that, we'd have hundreds of support tickets pouring in... trust
me on this.  At least wrt Javascript.  Not sure about Flash and I had no
idea Java could be embedded in PDF... are you sure that's even possible?

Regards,

Dianne.

Re: PDF files containing executables?

[John Hardin]

On Thu, 3 Mar 2016, Dianne Skoll wrote:


On Thu, 3 Mar 2016 13:03:44 -0800
Marc Perkel  wrote:


Thanks for the response. I'm in the spam filtering business and I'm
wondering what I can use (from the command line?) to detect if a PDF
has any kind of script attached that would be executable. that way I
might block based on what's embedded in a PDF.


There are tools.  Google is your friend.

However, many legitimate PDF files contain Javascript snippets.  Blocking
solely on that basis will lead to many FPs.


I'd argue the "legitimate" part of that statement... :)

Sounds to me like it should be: block any PDF with javascript/flash/java 
with whitelisted bypass.


What sane MTA accepts bare executable attachments from the Internet at 
large any more? The same policy should apply to PDFs.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  USMC Rules of Gunfighting #2: Anything worth shooting is worth
  shooting twice. Ammo is cheap. Your life is expensive.
---
 10 days until Albert Einstein's 137th Birthday

Re: PDF files containing executables?

[Marc Perkel]

On 03/03/16 13:15, Dianne Skoll wrote:

On Thu, 3 Mar 2016 13:03:44 -0800
Marc Perkel  wrote:


Thanks for the response. I'm in the spam filtering business and I'm
wondering what I can use (from the command line?) to detect if a PDF
has any kind of script attached that would be executable. that way I
might block based on what's embedded in a PDF.

There are tools.  Google is your friend.

However, many legitimate PDF files contain Javascript snippets.  Blocking
solely on that basis will lead to many FPs.

Regards,

Dianne.




In that case I'd like to know if there's java in it so that if the 
message has other risk flags I can block it.


--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: PDF files containing executables?

[Dianne Skoll]

On Thu, 3 Mar 2016 13:03:44 -0800
Marc Perkel  wrote:

> Thanks for the response. I'm in the spam filtering business and I'm 
> wondering what I can use (from the command line?) to detect if a PDF
> has any kind of script attached that would be executable. that way I
> might block based on what's embedded in a PDF.

There are tools.  Google is your friend.

However, many legitimate PDF files contain Javascript snippets.  Blocking
solely on that basis will lead to many FPs.

Regards,

Dianne.

RE: PDF files containing executables?

[Kevin Miller]

Not sure about viruses per se, but I know that there have been instances of 
embedded javascript in .pdf files which have been malicious.

Javascript can be turned off in Acrobat preferences.  Likely a toggle in other 
.pdf readers as well.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-Original Message-
From: Marc Perkel [mailto:supp...@junkemailfilter.com] 
Sent: Thursday, March 03, 2016 11:26 AM
To: users@spamassassin.apache.org
Subject: PDF files containing executables?

A customer of mine inquired about executable viruses inside of PDF files. Is 
that so? And if it is - is there any way of detecting executables inside of PDF?

--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: PDF files containing executables?

[Marc Perkel]

On 03/03/16 13:02, David B Funk wrote:

On Thu, 3 Mar 2016, Marc Perkel wrote:

A customer of mine inquired about executable viruses inside of PDF 
files. Is that so? And if it is - is there any way of detecting 
executables inside of PDF?


I don't know that PDFs can contain classical ".exe" type executables 
but they
can clearly contain 'active content' (javascript, flash, etc) which 
can be

abused as a malware delivery vehicle.
So for practical purposes PDFs can be considered potential virus 
containers.


AV scanners have rules for detecting malware inside PDFs but that's 
always a catch-up game.




Hi David,

Is there a way to detect any executable code so that I can just block 
all PDF files with executables.


--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: PDF files containing executables?

[Matthias Leisi]

> Thanks for the response. I'm in the spam filtering business and I'm wondering 
> what I can use (from the command line?) to detect if a PDF has any kind of

ClamAV?

— Matthias

Re: PDF files containing executables?

[Marc Perkel]

Hi Kevin,

Thanks for the response. I'm in the spam filtering business and I'm 
wondering what I can use (from the command line?) to detect if a PDF has 
any kind of script attached that would be executable. that way I might 
block based on what's embedded in a PDF.


On 03/03/16 12:59, Kevin Miller wrote:

Not sure about viruses per se, but I know that there have been instances of 
embedded javascript in .pdf files which have been malicious.

Javascript can be turned off in Acrobat preferences.  Likely a toggle in other 
.pdf readers as well.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-Original Message-
From: Marc Perkel [mailto:supp...@junkemailfilter.com]
Sent: Thursday, March 03, 2016 11:26 AM
To: users@spamassassin.apache.org
Subject: PDF files containing executables?

A customer of mine inquired about executable viruses inside of PDF files. Is 
that so? And if it is - is there any way of detecting executables inside of PDF?

--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400



--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: PDF files containing executables?

[David B Funk]

On Thu, 3 Mar 2016, Marc Perkel wrote:

A customer of mine inquired about executable viruses inside of PDF files. Is 
that so? And if it is - is there any way of detecting executables inside of 
PDF?


I don't know that PDFs can contain classical ".exe" type executables but they
can clearly contain 'active content' (javascript, flash, etc) which can be
abused as a malware delivery vehicle.
So for practical purposes PDFs can be considered potential virus containers.

AV scanners have rules for detecting malware inside PDFs but that's always a 
catch-up game.


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

PDF files containing executables?

[Marc Perkel]

A customer of mine inquired about executable viruses inside of PDF 
files. Is that so? And if it is - is there any way of detecting 
executables inside of PDF?


--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: PDF files containing executables?

[Reindl Harald]

Am 03.03.2016 um 21:25 schrieb Marc Perkel:

A customer of mine inquired about executable viruses inside of PDF
files. Is that so? And if it is - is there any way of detecting
executables inside of PDF?


when it's a job for clamav



signature.asc
Description: OpenPGP digital signature