Friday, 10 August 2007

Stock Spam changes format: FDF

As reported by the F-Secure blog instead of using PDF spam, we now have FDF formatted spam....which stands for format data format, used by various PDF readers.

Update: it appears that all is not what it seems: the first few bytes of the .FDF file are actually %PDF-1.5, which means that all the spammers have done is renamed the extension from .PDF to .FDF. A real .FDF file has the magic-bytes %FDF-1.2. The pdf readers just open it as a PDF because of the magic-bytes. Sneaky

Here's an example email that came in:

And here's it's contents:

Note the random hex number (shown in red) which is used by the spammers to change the Adobe encrypted contents of the file, so it's hard to detect a pattern, ie: you can't use an md5 hash of the file (just like the problems caused by the image spams)

The good news is, that although this was a new technique that the spammers used... it was already 0-hour protected by signature: Email.Stk.Gen606.Sanesecurity.07080101.pdf

Which was nice :)

No comments: