Re: Re: email attack vector just got wider

[Micheal Espinola Jr <michealespinola () gmail com>]

Right, but do the AV vendors recognize an encrypted/password-protected PDF - 
like the would/could a compressed archive (ZIP, etc) ?
 I haven't seen any that can. I'm using Symantec 9, and I'd be interested to 
know if anyone is using a competitor that addresses this issue directly.
 Thanks,

 On 4/26/05, Randall M <randallm () fidmail com> wrote: 
> Just my 2cents worth. About the only defense is using programs such as 
> MailSecurity to block and alert when anything is encrypted or password 
> protected.
>   
> thank you 
> Randall M 
>
> "If we ever forget that we're one nation under God, then we will be a 
> nation gone under." 
> - Ronald Reagan 
> _________________________________ 
>
>  
>  ------------------------------
> *From:* full-disclosure-bounces () lists grok org uk [mailto:
> full-disclosure-bounces () lists grok org uk] *On Behalf Of *Micheal Espinola 
> Jr
> *Sent:* Tuesday, April 26, 2005 11:56 AM
> *To:* Full Disclosure
> *Subject:* [Full-disclosure] Re: email attack vector just got wider
>
>   an update:
>  My latest finding is that Adobe PDF's with embedded attachments can be 
> bundled and distributed as a Secure Electronic Envelope (eEnvelope). 
> eEnvelopes are designed to protect documents in transit with the use of 
> encryption. 
>  Password protected .ZIP's are typically addressed at the SMTP gateway by 
> AV software with the option to strip or reject compressed file attachments 
> that are not readily scan-able (due to the password protection, etc). 
>  Although Adobe recommends enabling scanning all file types in order to 
> scan a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner 
> is not currently going to be able to scan this encrypted content until the 
> content has been rendered/unencrypted at the desktop. 
>  While many AV vendors have factored certain compressed archive standards 
> into their products, I have seen no indication that this is being addressed 
> for this relatively new and already widely deployed product.
>  Call me a worry-wort, but I foresee this is the next "in" for malware 
> distribution.
>
>
> On 4/25/05, Micheal Espinola Jr <michealespinola () gmail com> wrote: 
> > Perhaps not "just". My apologies for those that are aware of this, but 
> > it seems Adobe 6 also had this capability - although many people have 
> > been unaware of this. I recently upgrade from 5 to 7, so I missed this 
> > potential issue from the get-go. 
> >  Someone pointed out to me that Symantec does have a bulletin stating 
> > that by setting your AV to "scan all files" you can detect a virus inside a 
> > file embedded into a PDF.
> >  Unfortunately, this does not address the blocking of certain 
> > attachments outright.
> >
> >  On 4/25/05, Micheal Espinola Jr <michealespinola () gmail com > wrote: 
> > > It seems most people I know haven't noticed that the new version of 
> > > Adobe Acrobat (7) now allows for embedded/attached documents.
> > >  Since PDF's have generally been considered a safe document format and 
> > > are typically not blocked by content/attachment scanners, this now opens an 
> > > email-based attack vector that anti-virus providers [to the best of my 
> > > knowledge] are not currently addressing. 
> > >  Many thanks to Adobe for creating another issue for us to deal with, 
> > > and especially for not having the forethought to coordinate with anti-virus 
> > > vendors to prepare for assuredly future exploitation of the technology. 
> > >
> > > -- 
> > > ME2
> > >
> > > my home: <http://www.santeriasys.net/>
> > > my photos: < http://mespinola.blogspot.com/> 
> >
> >
> >
> > -- 
> > ME2
> >
> > my home: < http://www.santeriasys.net/>
> > my photos: < http://mespinola.blogspot.com/> 
>
>
>
> -- 
> ME2
>
> my home: <http://www.santeriasys.net/>
> my photos: <http://mespinola.blogspot.com/> 


-- 
ME2 <http://www.santeriasys.net/>

photography: <http://mespinola.blogspot.com/>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/