In the continuing effort to get more spam past email filters, professional spammers are not only stepping up their use of PDF attachments to deliver their offers of penile implants and cheap pharmaceuticals, but they are also modifying them to avoid detection. Worse yet, the chief security analyst at MessageLabs, Mark Sunner, has suggested that PDF attachments might soon be used by spammers to delivery malware. 

“Though PDF files have traditionally been a trusted type of email attachment, we are beginning to see an increase in use for sinister activity,” said Sunner.

“With a nearly 10 percent increase in malware [in July], we believe this threat could become more malicious with the potential for spammers to embed malware in the PDFs, which would be automatically downloaded to the victim’s computer.”

According to MessageLabs, approximately 20% of all image spam now involves PDFs. MessageLabs has identified two types of PDF spammer:

• Simple/Amateur: These spammers craft PDF documents using ordinary tools like Microsoft Word and use the same PDF for the entire spam run.
• Professional: More sophisticated spammers who attach a different PDF to every spam. Each PDF is randomized and usually not text-based. Instead, these spammers insert randomized images into PDF documents as well as use  other tactics such as random page sizes.

In some of the most recent examples tracked by MessageLabs, the PDF documents were created programmatically with document protection settings enabled, which makes the spam more likely to bypass detection by typical anti-spam scanners.

MessageLabs also noted the PDFs still contained “Bayes Poison,” which are long lists of randomly selected words that are unlikely to appear in a normal spam message, as an added cover to evade detection using Bayesian spam filtering.

Related:

Entry was posted on Wednesday, August 1st, 2007 at 2:15 pm under Security, Spam.

Read more entries by John Pospisil.
Stumble It!