New virus travels in PDF files
Tuesday August 07 11:00 PM EDT
dailynews.yahoo.com
By Stephen Shankland CNET News.com
Adobe's popular PDF file format--known to anyone who's ever called up a tax form on the IRS Web
site--has generally been considered immune to viruses. But a new virus carried by programs embedded
in PDF files raises concerns that the format itself could become susceptible.
On Tuesday morning, Network Associates' McAfee antivirus division
became aware of the first virus--known as "Peachy"--that uses PDF to
spread, said Vincent Gullotto, senior director of McAfee's Avert group.
Fortunately, those who are simply viewing a PDF, or Portable Document
Format, file aren't vulnerable. The virus spreads only by way of Adobe's
Acrobat software--the program used to create PDF documents--not
through Acrobat Reader, the free program that is used to view the files.
"There is no way for this to affect Acrobat Reader," said Adobe's Sarah Rosenbaum, director of
Acrobat product management. "The code in Acrobat that recognizes attachments does not exist in
Reader."
Peachy exploits an Acrobat feature that allows people to embed other files within a PDF--attachments
that can be opened only by people using Acrobat.
"Right now it's considered to be a low risk because we haven't seen it reported to us from a customer,"
Network Associates' Gullotto said.
But the Peachy virus raises the issue that PDF files--widely used to display documents within Web
browsers and e-mail--could become a new channel for spreading viruses.
"What I'm concerned about here is that this could be a new frontier," said Richard Smith, chief
technology officer of the Privacy Foundation. "It's considered to be a safe file format." Smith posted
news of the virus to the Bugtraq security mailing list Tuesday.
It's clear that if Adobe modified future versions of Reader so that it could read attachments embedded
in PDF files, the program could fall victim to Peachy's descendents.
Rosenbaum said that while it's possible Adobe might add attachment-handling capability in future
editions of Acrobat Reader, the company has no immediate plans to do so.
Smith said he believes Acrobat Reader software ultimately could prove susceptible in any case.
Indeed, the Computer Emergency Response Team posted news of a vulnerability in the Windows
version of Acrobat in November 2000 that could let an outside attacker gain control over the
computer of a person who simply viewed a PDF file. Adobe patched that hole.
Adobe said any popular software becomes a target for security attacks and Acrobat has crossed that
threshold.
"I think the attraction...has reached a critical level recently," Rosenbaum said. "It's only been in the last
18 to 24 months that PDF...use has really exploded."
How Peachy works
Acrobat lets people embed different file types within a PDF, including everything from the VBScript
programs--used in the LoveLetter virus--to an actual executable program, Gullotto said.
Peachy is named after a small game in a PDF file that involves finding peaches, Gullotto said.
According to a person called Zulu, who said he wrote Peachy, showing the solution to the game runs a
VBScript file.
The virus then spreads to others using e-mail addresses collected from Microsoft Outlook, Gullotto
said. Using PDF bypasses the filters in newer versions of Outlook that ordinarily screen out VBScript
files.
Through an agreement with Adobe announced in June, McAfee's software is able to scan PDF files,
Gullotto said. However, as with other virus types, the software isn't always able to catch new viruses
until its definitions are updated.
Updated virus descriptions released by McAfee next week will be able to detect Peachy, Gullotto
said.
But Adobe doesn't currently plan to prevent VBScript or other files from running.
To prevent Peachy from being able to run, "the change we would have to make is not to allow
VBScript attachments. That is a problem for a lot of our customers," she said. "If they change their
opinion, we will do what they want."
Users with the full version of Acrobat will have to exercise caution when opening attachments to PDF
files. However, opening attachments isn't automatic: A cautionary dialog box asks if the user wants to
proceed. |
