How *not* to get infected by a PDF attachment virus
Engage brain, let Acrobat 5 scrub the harmful add-ons away
14 August 2001
Depending which report(s) you may have read recently about the so-called "Peachy" virus that demonstrated PDFs can be carriers of viruses -- but only in attachments -- you might have concluded that there was reason for panic, or merely reason to be slightly more alert.
One published news report concluded:
"Although experts say that Peachy hasn't caused any damage, and isn't expected to, the virus has raised concerns about PDF, which in the past has been considered to be a very secure file format due to its use of encryption."
No indication which 'experts' they interviewed.
A more realistic report concluded:
"... the Peachy virus raises the issue that PDF files -- widely used to display documents within Web browsers and e-mail -- could become a new channel for spreading viruses."
FACT: Yes, they could -- and probably will.
FACT 2: You will only become infected by a virus contained in a PDF attachment if you first ignore warning signs from Acrobat, and are careless about opening unexpected file attachments. The same holds true, by the way, for unknown files distributed by any means.
We opted for a true expert opinion from a widely recognized PDF Guru, Aandi Inston of Quite Software. In his usual frank but knowledgeable way, Aandi made his opinion clear during an online discussion that the mild hysteria about PDFs suddenly spreading viruses randomly and rapidly against defenseless users is nonsense.
"No VBScript is needed. Just an idiot at the controls."
"You get a PDF file, and click. Acrobat asks you if you want
to run a program. If you say yes, Acrobat does so. In this
sense, Acrobat can carry viruses just like a Web browser
and just like an e-mail program."
"The 'payload' doesn't have to be a virus. Remember that
every unidentified attachment, every link on the web,
every embedded PDF file could be a 2-line program that
just removes every file on your hard disk."
Kathi Rauth, Senior Product Manager for Security and Digital Signatures at Adobe Systems, concurs -- but takes a more diplomatic approach (in part not having dealt with the same amount of online discussion 'nonsense' as Aandi over his many years!): "There are a number of ways that Acrobat users can protect themselves," she says, noting that "this is not a new problem -- just a new format for an old problem."
Rauth is quick to underscore that viruses can only be borne by attachments, not PDF files themselves. "PDF shall remain a secure format."
Additionally, she says, Adobe recently announced a relationship with McAfee to develop additional tools for detecting and removing viruses contained within PDF files. McAfee has released a software update (.DAT 4154) that can detect the Peachy virus, Rauth says.
There's a growing suspicion that the timing of the release of the "proof-of-concept" virus suggests it was created as a protest of Adobe's involvement in the FBI's arrest of Dmitry Sklyarov, a Russian software programmer. The Web site of the virus author adds to that speculation, indicating interest if not involvement in similar activism efforts.
According to one skeptic: "The hacker community is trying to damage Adobe's
reputation, knowing that a virus scare will do damage in today's climate, whatever the facts."
Warning Signs and Protection Techniques
Among the ways Acrobat 5 users can protect themselves are the following:
Heed warning dialog boxes if you're not sure of the file's source.
Use Acrobat 5's PDF Consultant feature to analyze documents and remove attachments.
To detect and remove unwanted elements:
- Choose Tools > PDF Consultant > Detect and Remove.
- Select the items you want to detect or remove. Selecting All Comments
will cause File
Attachments Only and Multimedia to be selected as well.
- Do one of the following:
- Click Analyze to see a report of the number of each of the selected
Consultant detects in the PDF file.
- Click Remove to remove the selected items from the PDF file.
Allow File Open Actions and Launching File Attachments warns of security risks when you open a file in another application from a link in a PDF document; it provides a chance to cancel the operation. If this option is not selected, links to files in other applications are disabled.