[sf-lug] about new forms of dangerous junk mail

Rick Moen rick at linuxmafia.com
Tue Jul 31 10:22:18 PDT 2007

Quoting jim stockford (jim at well.com):

>     Lately i've been getting junk mail with .PDF
> or .ZIP attachments. I never click them, of course,

You should be able to click them, fold them, staple them, and mutilate
them all day long, actually.  What you want to avoid doing is _execute_
them as runnable code, same as with any other untrustworthy code
received from questionable sources.

Now, if your preferred applcation software on your preferred operating
system runs untrustworthy code without consulting you, then either the
application software, the operating sytstem, or both is broken by
design, and should be replaced.

> but I wonder what they're about:

Popular antispam software often greps received _text_ looking for 
tiresome and annoying advertisements for male-potency drugs, etc.
Those pattern-matching routines are unlikely to attempt to find those 
same semantics when delivered in the form of graphical images or other 
unusual formats.  (This is dubbed "image spam".)

Now, you should also be aware that PDF files are, under the hood, a
slightly modified and compressed variant of Adobe's venerable PostScript
markup format.  PostScript is a programming language.  Therefore, any 
PDF (or PostScript) file received from untrustworthy sources is
potentially dangerous, in that "opening" it (a treacherous concept from
the MacOS / MS-Windows desktop world that conflates viewing data with
running of programs, which are not _always_ blurred activities) can 
execute some unknown remote party's code, with your user authority, on
your system, and carry out actions you cannot easily predict or control.

Fortunately, the authors of open source PDF- and PostScript-handling
software on Linux have historically been well-aware of this danger.  For
example, the GhostScript utility offers the -dSAFER switch for that
exact purpose:

              Disables the "deletefile" and  "renamefile"  operators and  the
              ability  to open files in any mode other than read-only.  This is
              desirable for spoolers or any other environments where  a mali-
              cious or badly written PostScript program must be prevented from
              changing important files.

I expect and hope that authors of popular Linux MUA (mail-reading)
programs and Web browsers use that and similar precautions in handling
data from public networks.  Indeed, in my experience, they do, as do
distributions in writing system-default mailcap files.

If you're using some desktop operating system other than Linux, then
good luck to you, and you'll have to seek help from others.

And, of course, if you're using the proprietary Adobe Acrobat Reader
("acroread") on Linux, good luck with that, too, since nobody in the
open source community can even inspect the code for problems, let alone
maintain distro packages of it.

> ...anybody know if clicking these enables executables...

You didn't even say what software you use for this purpose, so I'm
honestly not sure, offhand, how anyone else is going to tell you how
your unidentified PDF and Zip-handling software on your unidentified
operating system works.

Whatever software you use, you are strongly advised to _know_ what
happens when you use it to "click" particular types of files received
as untrustworthy data from public networks.  If doing so runs them,
then, as the old technical support joke goes, Don't Do That, Then.  ;->

> ...and if so, how does it work (e.g. click a .PDF and it has code in
> it to manage the .PDF reader and squirt some malware on the system

As a gedankenexperiment, imagine that I send you a piece of Linux-native
malware in e-mail.  Let's say I somehow contrive some way to preserve
the executable bit during transmission, which normally gets deliberately
stripped by receiving MUA software on Linux.  (Let's say I package up
a program with the executable bit set, inside a Zip compressed archive.
That might possibly work.)

Here's the program:

rm -rf ~
echo "Mua-hahaha.  All your database are belong to us."

I save that as postcard.sh, do "chmod u+x postcard.sh", and then do
"zip happyfunarchive.zip postcard.sh", and mail that to you saying
"Hi, Jim!  Please unpack and run postcard.sh, to see a pretty postcard."

You're in a trusting mood, so you save my postcard.sh out to, dunno,
wherever you put such things, ~/Desktop, or ~/bin, or /tmp, or somewhere 
_where you have write privilege_.  It's important to note that that
doesn't include any of the _system_ directories (executables, libraries, 
configuration files, etc.), which are not set writeable by any ordinary
user.  Now, I guess you're browsing around in, say, some graphical shell
like Nautilus or Konqueror, or something like that, and find the saved
copy of postcard.sh, and go clicky-clicky on it.

If Nautilus, Konqueror, or what have you knows how to run a Bourne shell
script, which seems likely, then it'll very likely do what you told it
to, which is to run the untrustworthy program you did the clicky-clicky 
thing on.  The program comes alive, and recursively deletes your home
directory.  'Hope you have that backed up.  Man, that was painful -- 
but please note that you shot only yourself in the foot, not the system,
which is completely unharmed.

Possibly of interest:
(See in particular the JBells analysis.)

More information about the sf-lug mailing list