Some security researchers were scratching their heads when PDF spam nearly disappeared last summer, but now at least one firm, MX Logic, said it is tracking the reemergence of the format showing up in unwanted messages.
Sam Masiello, director of threat management at Englewood, Colo.-based MX Logic, an antispam and managed services vendor, said PDF spam accounted for less than 0.5% of global spam volume last week. However, he said the reemergence of PDFs indicates spammers may be trying to test the file format against some spam filters.
"It could be somebody testing the waters or it could be the calm before the storm," Masiello said. "Generally your smaller, more localized attacks are less likely to be detected, but in this case it was obvious based on the subject lines that it was suspicious."
PDF spam emerged in July as a result of a tweak to the Storm Trojan, according to some security researchers. The PDF file format is widely used by businesses and as a result, security researchers were intrigued by the new method. Spam filtering vendors rapidly developed a way to detect the unwanted messages and help determine legitimate PDF files. Within a month of the PDF spam discovery, security firms said the levels of the file format almost completely disappeared.
Previous PDF spam contained messages for a pump and dump stock scheme. Masiello said the PDF spam discovered last week is easily detectable since it contains advertisements for a variety of pharmaceuticals – typical in most spam messages. Most businesses will have no problem determining a legitimate PDF file, he said.
In addition to the PDF spam, Storm continues to dominate most unwanted messages, according to Masiello. A Valentine's Day variant of Storm came out about two weeks ago, plaguing some inboxes. The Storm Valentine message contains a malicious URL. If the URL is clicked on by the recipient, the victim downloads an executable file and is infected, according to researchers at the SANS Internet Storm Center.
Masiello said spammers are also turning to stealthier methods of infection. A master boot record (MBR) rootkit was discovered earlier this month by security researchers who said it takes control of a system by silently overwriting the MBR with its own code. The master boot record is an important part of partitioned storage on a computer's hard disk.
The MBR rootkit was originally discovered by security researcher Matt Richard of Verisign's iDefense labs. Richard said the first attacks started in December. As many as 5,000 machines have been infected.
Masiello said malicious code in 2008, being delivered by spam, is showing early signs of furthering the trend of blended threats from attackers to trick and infect unsuspecting victims. In addition Zombie machinesPill spam, viruses, stock pump and dump spams.
"This model of the blended threat I think is still in its early stages partly because the methods in which people are being infected are still continuing to evolve," Masiello said. "Today, the user doesn't have to go to a malicious Web site or open a file attachment anymore to get infected."