Lucene search
Packet StormPACKETSTORM:11982HistoryAug 17, 1999 - 12:00 a.m.
adobe.acrobat.netbus.trojan.txt
1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
51
`Date:Tue, 6 Apr 1999 07:41:06 -0600
Reply-To:"Wamsley, James R" <[email protected]>
Sender:Windows NT BugTraq Mailing List <[email protected]>
From:"Wamsley, James R" <[email protected]>
Subject:Adobe put Trojan horse in Acrobat.
Comments:To: "[email protected]" <[email protected]>
Comments:cc: "Samos, Randy B." <[email protected]>
We recently found an alarming problem with Adobe's pre-release of Acrobat 4.0,
When one of our users downloaded and installed the pre-release, McAfee, using
data definitions 4.0.4017 stated that one file net bus pro.dr contained a virus
and could not be removed. Of course we investigated and see NetBus there. The
user opened a problem report with Adobe. They acknowledge that NetBus Pro is
part of the package, but 'have not been reported to cause problems with
anyone's computer at this time.'
I personally find this absolutely reprehensible that they would purposely put
'remote administration and spy software' in a package that will be widely
distributed around the world. That is all any of us need is the have a lot of
users install this, and the nefarious users obtain the whole package and start
whacking desktops whenever they choose.
Comments?
[ Jim Wamsley, Network Engineering
[ StorageTek
[ One StorageTek Drive, M.S. 4380, Louisville, CO 80028
[ Audible: (303) 673-8163 Logical [email protected]
[ Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E
----------------------------------------------------------------------------------------
Date:Wed, 7 Apr 1999 15:05:18 -0400
Reply-To:Russ <[email protected]>
Sender:Windows NT BugTraq Mailing List <[email protected]>
From:Russ <[email protected]>
Subject:Re: Adobe put Trojan horse in Acrobat.
Comments:To: "Wamsley, James R" <[email protected]>
Interim Update:
James is in a seminar today, and while I was able to drag him out of it long
enough to ask a few questions, some will remain unanswered until tomorrow
(when he can get to the source messages he has).
- They found NetBusPro.dr in a pre-released version of Adobe Acrobat Reader 4.0
- They reportedly got a response from Adobe indicating it had been put there,
and that "nobody has reported it to cause any problems".
When I spoke to Adobe Customer Service, they could not find any reference to
NetBus being included, officially, in any of their Acrobat released products.
Several posters have stated they do not find NetBus when scanning with McAfee
(various versions) against the released Adobe Acrobat 4.0 package (note, I
don't believe this is the same package James was referring to).
I received a message from one poster that included a snippet of a message he
received from a member of the anti-virus research community within which, was a
supposed response from McAfee. McAfee was supposedly acknowledging that this
was a false detection within their 4.0.4017 .DAT file. The response said that
this would be fixed "in a future update of the .DAT files).
I downloaded and checked the McAfee 4.0.4019 .DAT file WhatsNew.txt file, but it
makes no mention of any false detection, or whether or not its been corrected.
James has not scanned it with 4.0.4019 so cannot say if it has, in fact,
disappeared or not.
My apologies for how long this response has taken. James' message caused a
flood of responses and I had hoped to get him to give us some more facts. It
took me a while to track down his pager number (ain't social engineering fun!),
hence the delay.
I have messages into the senior researchers at NAI, but as yet they haven't
responded either. Without accurate info about precisely where James got
precisely what, its hard to ask Adobe many more questions than I already have.
I truly goofed in sending this one out without a little more clarification in
advanced...tsk, tsk...
More when something useful arises.
Cheers, Russ - NTBugtraq moderator
----------------------------------------------------------------------------------------
Date:Thu, 8 Apr 1999 21:33:18 -0400
Reply-To:Russ <[email protected]>
Sender:Windows NT BugTraq Mailing List <[email protected]>
From:Russ <[email protected]>
Subject:Re: Adobe put Trojan horse in Acrobat.
Well, I guess neither NAI nor Adobe think enough of us to warrant us with their
direct response, so instead, you get me...;-]
Last night, I spoke with Vincent Gullotto, Manager of AV Researchers at AVERT,
the Supreme Beings of NAI's Anti-Virus crowd. I had sent him a message early
yesterday about the Adobe issue and wanted his confirmation after I had
received a redirected note originating from DataFellows quoting confirmation
from McAfee that the detection of NetBusPro in the pre-release of Adobe Reader
4.0 was, in fact, a mis-detection.
Well, Vincent was nice enough to confirm to me that it was, in fact, a
mis-detection. He agreed that his group would confirm this to NTBugtraq, but he
needed some confirmation from his researchers regarding precisely which versions
of their .DAT files were mis-detecting. "Tomorrow", he said.
I figured that many of you would not accept a simple explanation from Adobe, or a
3rd party confirmation from DataFellows. I spoke to, indirectly, PR people at
Adobe.Seems Adobe is going to publish something on Saturday (gee, thanks for
being so quick Frank). I figured, well, this wasn't going to convince you either.
I stressed to Vincent the need to have NAI confirm the mis-detection. Gee, he
agreed, but here we are and still no confirmation.
Now I've never been one to hide my disdain for the way NAI handles important
issues, but I figured after a person-to-person conversation that I took the
trouble to initiate, and after him telling me point blank that we'd see
something today...sigh...oh well, guess I had higher expectations than I should
have.
So, take my word for it, both NAI and Adobe say the detection of NetBusPro in
the pre-release of Adobe Reader 4.0 was a mis-detection.
That said, Adobe did confirm that there was a file in that version called
NetBusPro.dr. Now ask yourself, who would be stupid enough to call a file in,
even, a pre-release package such a significantly suspicious name as NetBus?
Adobe and NAI both seem suspiciously silent about this fact. Did NAI detect
something and Adobe convinced them to call it a mis-detection? Did Adobe
incorporate NetBusPro into their product and sufficiently hide it, maybe with
NAI cooperation, such that detection programs don't see it anymore?
I have a copy of a message from [email protected] which states that
NetBusPro.dr is, in fact, included in the pre-release. That same message
includes links to the NetBus home page, as if to say, "if you want to know
what this thing does, the thing we included in this package, go here and
you'll find out". Another message I have from Adobe internal says that
they've been seeing this rumor for a week now, and on lists where they don't
have dedicated lurkers to dispel such rumors, its run rampant.
If you don't know me, let me tell you. I'm pretty good at getting to the
bottom of things with any company. The fact that Adobe is so unconcerned
about this "rumor" that they're not publishing anything to dispel it until
Saturday stinks of other issues to me. The fact that NAI, despite a personal
confirmation and agreement to publish a statement, still have not, also
stinks of other issues to me.
In the spirit of "better safe than sorry", I'd say this. Stay away from Adobe
Acrobat Reader 4.0 and NAI scanners until this thing has been clarified beyond
a shadow of a doubt (and if you ask me, I don't know how that is now possible).
Draw your own conclusions. DateFellows had a page up about NetBus earlier today,
which I saw, at http://www.europe.datafellows.com/v-descs/netbus.htm, which now
seems to be unavailable. I had personal messages from folks at DataFellows
confirming it was a mis-detection, but they weren't prepared to state this on
the list.
As a responsible White Hat I wanted to get NAI to confirm it was a mis-detection,
and put the whole issue to rest. But as a responsible journalist, I figure the
above is the best you can expect, at least for now.
A fine line, I know, but if you'd been told what I've been told, I suspect you'd
be thinking like me.
Cheers, Russ - NTBugtraq moderator
----------------------------------------------------------------------------------------
Date: Thu, 8 Apr 1999 19:08:42 -0700
From: Sarah Rosenbaum <[email protected]>
To: [email protected]
Subject: ALERT: No viruses in Acrobat Reader
The public beta release of Acrobat Reader 4.0, posted on www.adobe.com in
early March was rumored to contain a virus. This is a false report.
McAfee VirusScan 4.x.x for Windows using the 4.0.4017 Virus DAT file
released March 15, 1999 reported that the pre-release version had the
NetBusPro.dr virus, but this was due to an imprecise virus specification
within the 4.0.4017 Virus DAT file itself.
The 4.0.4019 Virus DAT file released by Network Associates on March 29,
1999 corrects the problem and shows that the file is free of viruses.Both
the virus lab at Network Associates and Adobe Systems Inc have confirmed
this fix.
BTW, the 4.0.4015 Virus DAT file that was current as of early March had
also shown the file to be free of viruses.
All pre-release and release versions of Acrobat 4.0 Reader are free of
known viruses.Adobe uses a number of virus scanning utilities, in
addition to McAfee, to thoroughly screen all software before it is released
publicly.Thank you for your attention in this matter.
Sarah
-------------------------------------------------------------------------
Sarah Rosenbaum Adobe Systems Incorporated
Group Product Manager 345 Park Avenue, MS E14
Adobe Acrobat San Jose, CA95110
408-536-3844 (v)[email protected]
408-537-4005 (f)www.adobe.com/acrobat
------------------------------------------------------------------------
----------------------------------------------------------------------------------------
Date: Fri, 9 Apr 1999 11:27:16 -0400
From: Russ <[email protected]>
To: [email protected]
Subject: FW: A post on you NT Bugtrack
Here's the message I received from NAI last night, shortly after my
message went out to the list. Unfortunately it was sent directly to me
rather than to the list itself.
Cheers,
Russ - NTBugtraq moderator
-----Original Message-----
>From: Gullotto, Vincent [mailto:[email protected]]
Sent: Thursday, April 08, 1999 10:16 PM
To: 'Russ'
Subject: A post on you NT Bugtrack
As we spoke about yesteday and I did confirm and agree to provide you
and
your readers a response here is a statement from AVERT, A Division of
NAI
Labs.
The topic discussed in the NT BugTrack Subject:"Adobe put Trojan horse
in
Acrobat" was initially brought to our attention on 3/19/99.The
detection
of the NetBusPro tool in the ar40.exe file was incorrect.This occurs
with
the 4017 and 4018 DAT sets for McAfee and Dr Solomon VirusScan 4.XX
products, which were posted on March 17th and March 24th to the AVERT
Labs
web page. The correction was made to the 4019 DAT set which were
posted on
March 29 on NAI's FTP site.
Vincent Gullotto
Manager, AV Research
AVERT-NAI Labs
www.avertlabs.com <http://www.avertlabs.com>
----------------------------------------------------------------------------------------
Date: Fri, 9 Apr 1999 14:19:34 -0400
From: Russ <[email protected]>
To: [email protected]
Subject: Re: Adobe put Trojan horse in Acrobat.
I've just put an editorial on the Adobe issue up on the NTBugtraq site,
it includes the source information I received that has led me to make
some of the statements I have. Many people asked me to disclose more of
what I had in support of my comments.
Check out the revised News bulletin on the NTBugtraq Home Page,
http://ntbugtraq.ntadvice.com, titled "NetBusPro in Adobe? You decide!".
Cheers,
Russ - NTBugtraq moderator
----------
[http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=28]
What's up with Adobe?
Written by Russ Cooper - 4/9/99 12:42:42 PM
Preface:
Due to over-whelming response, this page is an attempt to disclose what information I have received regarding this issue. While some of the information is verbatim
copy I've received from others, I should make it clear that I have altered some information in order to protect sources. I hope that my reputation as a responsible and
reliable source of accurate information is not tainted by this fact.
In addition, this page also contains speculative observation and editorial commentary. I personally have not been able to investigate the true purpose of any component
within the Adobe Acrobat Reader pre-release 4.0. I do not intend to, I leave that task to others who are more capable in this regard. I would appreciate hearing any
findings, email me at [email protected].
I hope this allows you to draw your own conclusions. I hope this will also encourage both Adobe and Network Associates, Inc. to better communicate with its user
community over issues as sensitive as this one is.
History:
The alarm raised by Jim Wamsley of StorageTek <http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=779> over the possible presence of NetBusPro within the Adobe Acrobat Reader pre-release 4.0 <ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip> was, I thought, of import to
NT Security-minded folks everywhere. McAfee's anti-virus definition file (.DAT file) version 4.0.4017 told him that it believed NetBusPro might be included in the
AR40.EXE file (extracted from the downloaded AR40.zip file from Adobe's FTP site) <ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip>.
James had received this warning from one of his users and, correctly IMO, alerted NTBugtraq.
James' user went to Adobe's Tech Support web site and submitted a question to them. A response was ultimately sent to that user from a generic Adobe Service
account ([email protected]). The edited response follows (it has been edited because it contained not only the user name and email address, but also IP address
information of the user. The Adobe "Thread Number", a tracking number they use, has also been omitted. Anyone from Adobe who would like this number is welcome to
contact me for it);
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, April 02, 1999 10:34 AM
To: [email protected]
Subject:
Hello xxx,
Thank you for taking the time to alert us of the presence of a possible virus in the Acrobat Reader 4.0 Pre-release download.
Although we have received reports of this virus from a number of different sources, our engineers have not found the presence of an actual virus in the
posted file. NetBus Pro is the name of a software application from another company, and we suspect that the NetBusPro.dr file within the Acrobat Reader
4.0 Pre-release is being mistakenly reported as a virus (although this has not yet been confirmed).
We do know for certain that the Acrobat Reader 4.0 Pre-release (Ar40.exe) has not been reported to cause problems with anyone's computer at this time.
To obtain a version of the Acrobat Reader 4.0 Pre-release that has been verified not to produce any virus messages with McAfee, please download it from
the following ftp site:
ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip
For more information on NetBus Pro, please visit the following website: http://NetBus.Org/main.html
Also, visit the following URL on the Adobe Web site for the latest customer service and technical information:
http://www.adobe.com/supportservice/custsupport/main.html
Thank you for contacting Adobe Customer Support via the Adobe Web site.
Best regards,
Adobe Customer Support
THREAD:xxxxxxxxxxxxxxxxxxxxx
The thread number (above) is your reference number for this issue. Thank you for visiting www.adobe.com. We hope this reply answers your question.
Inquiries such as yours often prompt us to update or add information to www.adobe.com so it can be available to other customers. Please return to
www.adobe.com for additional information and inquiries. Copyright 1999 Adobe Systems Incorporated
--- On 03/16/99, you wrote ---
WebSite: Adobe.com
ProblemType: Other
WebURL: http://www.adobe.com/
CONTENT_LENGTH = 741
CONTENT_TYPE = application/x-www-form-urlencoded
GATEWAY_INTERFACE = CGI/1.1
HTTPS = OFF
HTTP_ACCEPT = application/vnd.ms-excel, application/msword,application/vnd.ms-powerpoint, image/gif, image/x-xbitmap, image/jpeg,image/pjpeg, */*
HTTP_ACCEPT_ENCODING = gzip, deflate
HTTP_ACCEPT_LANGUAGE = en-us
HTTP_COOKIE = AWID_9.80.22.140:10745:918855192:81;WECCIDCookie932364811728316
HTTP_FORWARDED = by http://xxxxxx.xxxxxxx.xxx:80 (Netscape-Proxy/3.5)
HTTP_HOST = cgi1.adobe.com
HTTP_PRAGMA = no-cache
HTTP_REFERER = http://www.adobe.com/misc/webform.html
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0b2; Windows NT)
PATH = /usr/sbin:/usr/bin
REMOTE_ADDR = xxx.xxx.xxx.xxx
REMOTE_HOST = xxx.xxx.xxx.xxx
REQUEST_METHOD = POST
SCRIPT_NAME = /misc/comments04.cgi
SERVER_NAME = cgi1.adobe.com
SERVER_PORT = 80
SERVER_PROTOCOL = HTTP/1.0
SERVER_SOFTWARE = Netscape-Commerce/1.12
SERVER_URL = http://cgi1.adobe.com
TZ = US/Pacific
The virus scan program I'm using (McAfee) says there is a virus in the AR40.exe file that is part of the Adobe Acrobat .zip file I just downloaded. VirusScan
says it is a "NetBusPro" virus and can't remove it. My company's team responsible for virus things say it is a new version of NetBus, which is a Trojan
Horse virus. Please contact me about this. --- original message ends ---
Now as you can see, this certainly comes across as Adobe confirming the presence of a file called NetBusPro.dr. I have installed the same version that this person was
referring to and cannot find a file anywhere on my system called NetBusPro.dr, however this does not mean its not present as the Adobe Server Rep. states.
Its also worth pointing out that Adobe does not state, even in their public announcement <http://listserv.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1246> on the issue posted to Bugtraq, that the program in question does not have
NetBusPro in it, they merely say it is free of viruses. I'm normally a trusting individual, but Adobe's lack of making an unequivocal statement that NetBusPro is not
present would seem to have been the right thing to do.
In the copy of the Adobe Internal Engineering document referencing this supposed false detection, a paragraph is present which is not present in the public Adobe
statement; <http://listserv.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1246>
"NetBus Pro 2.0 by Carl-Fredrik Neikter is a remote administration and spy tool. It enables you to remotely administer computers. Earlier versions of
NetBus were used illicitly by people who create viruses to play tricks on other people by enabling them to remotely control their computers. These viruses
involving NetBus were known as NETBUS.153 and NETBUS.160. NetBus Pro 2.0 is more robust than earlier versions known as NetBus, and NetBus Pro 2.0
is significantly more difficult to distribute as a virus."
Again, they seem more than willing to give praise to the NetBusPro product and make an attempt to differentiate its characteristic as a "virus" from earlier versions.
Shortly after I sent James' message through to NTBugtraq I sent messages to 4 individuals at Network Associates, Inc.'s AVERT Labs <http://www.avertlabs.com>, including Vincent Gullotto,
Manager of AV Researchers (sent on 4/7/99 1:51pm EDT). Vincent had previously offered these contacts for virus-related issues. My message said;
I released information this morning regarding the supposed inclusion of NetBus in Adobe Acrobat 4.0 based on McAfee 4.0.4017 identifying it being present
in AR40.EXE.
I've subsequently received a message stating that this was a mis-detection by your virus scanner. The poster included text supposedly originating from
McAfee, but I have been unable to find it on your web site. The text was;
-----------------------
This file AR40.EXE for Adobe Acrobat Reader 4.0 is identified by .DAT 4017 as containing "NetBusPro.dr" trojan:
Scanning file D:\!VIRUS\ar40.exe
D:\!VIRUS\ar40.exe could have NetBusPro.dr trojan !!!
This is a false detection. This will be corrected in a future update of the .DAT files. Also thank you for the sample referred to as XXXXXX. It has been
forwarded to our researchers for examination and a researcher will get back to you with our findings. -----------------------
Could you please confirm this, and if possible, provide a link to a publicly accessible statement from McAfee on this? Alternatively, could you have
someone respond directly to [email protected] re-stating the above.
Your quick reply would be greatly appreciated. I would also greatly appreciate a direct phone number for any of you.
Cheers,
Russ - NTBugtraq moderator
The included quote originated from a respected AV Researcher with DataFellows, and seems to have been sent to a number of people (despite this, I won't disclose the
sources). Virtually the same wording ended up on DataFellows Web Site <http://www.europe.datafellows.com/v-descs/netbus.htm> late yesterday (btw, they have told me it was unavailable when I went to look at it yesterday
simply due to the volume of hits it was receiving).
At ~5:30pm EDT on 4/7/99 I called Vincent directly and spoke with him and one of his researchers about the issue. I stressed that we (NTBugtraq) needed a
confirmation message from NAI to clarify the issue. I asked about NAI's policy regarding mis-detections and was told they do not make the information public. Not that
they don't want to, only that they hadn't yet gotten around to placing the information somewhere on their web sites. Of course I pointed out that it could be included
in their WhatsNew.txt file included in each .DAT file update, and he said he would consider what could be done.
Meanwhile, it was agreed that NAI would post something to the list, as a direct response to my message to the list, that clarified what had happened. Vincent indicated
that he needed to talk to an AV Researcher in the U.K. to determine precisely which .DAT file versions caused a mis-detection. Since it was already after U.K. closing,
NTBugtraq could expect a message the following day (4/8/99). I certainly appreciated his thoroughness, and more than appreciated his cooperation in discussing the
issues with me personally.
Its probably reasonable to point out here that I stressed to Vincent my understanding of how mis-detections happen. I have no expectation that mis-detections will
not occur, of course I hope they will be few and far between like he does, but they're bound to happen. I fully support any AV vendor who's product happens to
mis-detect a virus, better safe than sorry. I pointed out, however, that its just as important to make disclosure of mis-detections. A number of messages I received in
response to the original issue pointed out to me the harm they had been subjected to by people claiming they were being sent infected documents or files...claims made
due to mis-detections. Its one thing for me to tell you that something is a mis-detection, but I would hope you'd only believe it if the AV vendor said so.
After waiting until 9:30 EST on 4/8/99, after closing for the U.S., for a message from NAI clarifying the issue, I felt I should post something <http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=1323>. The volume of messages I
was receiving on the issue indicated that many people felt it was an important issue.
By this time I had spent a great deal of time thinking about the various aspects of this whole affair. Adobe seemed to be pointing people to NetBus, and seemed
unwilling to outright state it was not in their product. NAI had promised a message to the list, but none materialized.
I started to ask myself just how the mis-detection worked, and more importantly, how it could be corrected! Was VirusScan simply detecting the word "NetBusPro"
somewhere in the file? According to my discussions with NAI, the mis-detection came from the reader containing "an icon that was very similar to one found in
NetBusPro" as well as "some header material that was very similar". So did Adobe change an icon in the final release to stop the mis-detection? Or did NAI say to its
.DAT file "if you see something that looks like NetBusPro in Adobe Acrobat Reader 4.0, ignore it, its not NetBusPro!"??
No doubt AV Researchers can better explain why mis-detections happen, and how application vendors can make software that causes mis-detections, but both
parties lackadaisical attitude to the issue just left me feeling like something was missing.
I thought it reasonable that maybe Adobe included NetBusPro in the pre-release of their Reader in order to assist them during the beta testing phase. Might make
sense, and they may have satisfied themselves that NetBusPro was the right product to assist them. Of course there should have been mention of this in the docs
somewhere, and they should have acknowledged it in their announcement to the public. But I wouldn't expect NAI to remove detection of it, regardless of why it might
be there.
Did the NetBusPro folks get on NAI's back and tell them to stop detecting their now commercial version of the product as a Trojan?? If I were the owners of
NetBusPro, and I was trying to sell it commercially, I certainly wouldn't be pleased that AV vendors were telling my users its a Trojan and shouldn't be trusted, would
you?
Or is it all just a simple issue of VirusScan simply being a bit too broad in its signature matching routines and picking up something completely unrelated to NetBusPro
and thinking it was NetBusPro? This is probably the case, but I ask myself, how will I ever know??
I'm not a conspiracy theorist like some of my on-line friends...(Hi Bill...;-])...but clearly there needs to be a more effective mechanism of handling these issues that is
convincing enough to quell any suggestion of suspicious behavior. Unfortunately, I don't have an answer for that right now, hence my skepticism.
Hopefully one of you with the ability to decompile and analyze code will be able to tell us, for certain, whether or not there is any NetBusPro functionality in the Adobe
Acrobat Reader pre-release 4.0. Hopefully Adobe will make an unequivocal statement that there is not such functionality in any version of their product. Hopefully NAI,
and all AV vendors, will start making lists of mis-detections available to the public as and when they happen.
Hopefully I haven't over-hyped this issue, and instead, have helped somewhat to make such issues less worrisome in the future. That was my intent.
Cheers,
Russ - NTBugtraq moderator
comments welcome...
----------------------------------------------------------------------------------------
Date: Mon, 12 Apr 1999 08:04:20 -0400
From: Russ <[email protected]>
To: [email protected]
Subject: FW: ALERT: No viruses in Acrobat Reader
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set.]
[ Some characters may be displayed incorrectly. ]
Received: from smtp-relay-1.adobe.com ([192.150.11.1]) by
ns.ntbugtraq.com with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.1960.3)
| id H1GPKN43; Sun, 11 Apr 1999 23:02:50 -0400
Received: from inner-relay-1.Adobe.COM ([153.32.1.51] (may be forged))
| by smtp-relay-1.Adobe.COM (8.8.6) with ESMTP id TAA23125
| for < [email protected]>; Sun, 11 Apr 1999 19:57:16 -0700 (PDT)
Received: from mail-321.corp.Adobe.COM|by inner-relay-1.Adobe.COM
(8.8.5) with ESMTP id UAA15768; Sun, 11 Apr 1999 20:02:44 -0700 (PDT)
Received: from sarahtp600|by mail-321.corp.Adobe.COM (8.7.5) with SMTP
id UAA08101; Sun, 11 Apr 1999 20:02:41 -0700 (PDT)
Message-Id: < [email protected]>
X-Sender: [email protected]
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Date: Sun, 11 Apr 1999 19:55:55 -0700
To: Russ < [email protected]>
>From: Sarah Rosenbaum < [email protected]>
Subject: RE: ALERT: No viruses in Acrobat Reader
In-Reply-To: < [email protected]>
Mime-Version: 1.0
-----Original Message-----
>From: Sarah Rosenbaum [mailto:[email protected]]
Sent: Sunday, April 11, 1999 10:56 PM
To: Russ
Subject: RE: ALERT: No viruses in Acrobat Reader
Dear Mr. Cooper,
Below is an additional statement regarding the false reports that the
Adobe Acrobat Reader pre-relese contained a "virus," or more
specifically, the NetBusPro software. Although we believe the original
statements from Adobe Systems Incorporated and Network Associates, Inc.
last Thursday (April 8) clearly refuted the false report, your
commentary on this issue on www.ntbugtraq.com suggests that you did not
find such statements unequivocal.
We appreciate the service your web site provides to the software
industry. However, given the rapidity with which false informaiton can
spread over the internet, we would appreciate that great care be taken
to verify information that can so seiruosly harm a developer of top
quality software. As you know, Adobe products are highly regarded. False
reports such as these are damaging and also require a use of Adobe's
resources which are better spent contributing to innovation.
Thank you for posting the information below to your web site. For
further information, please don't hestitate to contact me.
Regards,
Sarah
------------------------------------------------------------------------
-
Sarah Rosenbaum | | | | | | |Adobe Systems Incorporated
Group Product Manager| || | | | | | |345 Park Avenue, MS E14
Adobe Acrobat| || | | | | | || | | | | | |San Jose, CA|95110
408-536-3844 (v)| | | | | | || | | | | | || | | | | | |[email protected]
408-537-4005 (f)| | | | | | || | | | | | || | | | | | |www.adobe.com/acrobat
------------------------------------------------------------------------
Subject: NO NetBusPro IN ADOBE ACROBAT READER
Adobe software, such as Acrobat Reader, does not include, nor did it
ever include, any NetBus or NetBusPro software.
McAfee VirusScan 4.x falsely reported the NetBusPro.dr software when
scanning Ar40.exe and Ar40eng.exe pre-release software when using virus
definitions 4.0.4017. The virus alert was caused by an error in version
4.0.4017 of the virus definition file distributed Network Associates,
Inc. This has been confirmed by the virus lab at Network Associates,
Inc. and by Adobe Systems Incorporated.When you install virus
definitions 4.0.4019, VirusScan 4.x does not report an eror with
Ar40.exe or Ar40eng.exe.
Adobe uses a variety of anti-virus software in addition to McAfee
VirusScan to thoroughly screen all software before it is publicly
released.
There was some confusion from original reports because NetBusPro is
described as both a virus and a "trojan horse". It is a common confusion
because software such as NetBusPro is sometimes picked up by virus
detection software.
Regards,
Sarah Rosenbaum
------------------------------------------------------------------------
-
Sarah Rosenbaum | | | | | | |Adobe Systems Incorporated
Group Product Manager| || | | | | | |345 Park Avenue, MS E14
Adobe Acrobat| || | | | | | || | | | | | |San Jose, CA|95110
408-536-3844 (v)| | | | | | || | | | | | || | | | | | |[email protected]
408-537-4005 (f)| | | | | | || | | | | | || | | | | | |www.adobe.com/acrobat
------------------------------------------------------------------------
At 01:28 PM 4/10/99 -0400, you wrote:
>Could you get Adobe to confirm, publicly, that Adobe Acrobat Reader
4.0,
>any version be it beta or otherwise, never has, and does not, contain
>components, or the complete version, of NetBusPro 2.x?
>
>NetBus v1.xx is considered a "virus", or a Trojan actually, but the
>commercial product NetBusPro 2.x is not considered as such.
>
>Adobe's public statement, sent in your name, does not make this
>distinction sufficiently for many of my 24,000+ subscribers (or me).
>
>Such a clarification, in public, either on your web site or via email,
>would put this matter to rest once and for all.
>
>Cheers,
>Russ - NTBugtraq moderator
>List address: [email protected]
>Web site: http://ntbugtraq.ntadvice.com
>
-------------------------------------------------------------------------------
Adobe Conclusion - Part 1
Written by Russ Cooper - 4/13/99 5:38:47 PM
I spoke with a wonderful PR fella at Adobe named Tim Oey this afternoon. I've been travelling since Sunday morning so this is why you haven't seen much from me
lately. Anyway, so Tim's all anxious for me to get a change up on my web site regarding the latest breaking news from them (meaning I should change my site to
reflect information Sarah sent me in private on Sunday which I published yesterday). I got a chuckle out of the fact he figured I should've changed my site overnight
when its taken them more than 2 weeks to get something up on theirs...but that's another story.
To the heart of the matter;
In my editorial, http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=28 (which I will be referring to as "my Adobe editorial" from now on), I said;
"Its also worth pointing out that Adobe does not state, even in their public announcement on the issue posted to Bugtraq, that the program in question
does not have NetBusPro in it, they merely say it is free of viruses. I'm normally a trusting individual, but Adobe's lack of making an unequivocal
statement that NetBusPro is not present would seem to have been the right thing to do."
to wit, Tim sent me this URL today;
http://www.adobe.com/supportservice/custsupport/SOLUTIONS/19bc6.htm
within which, they state, unequivocally (as I hoped they would);
"Adobe software, such as Acrobat Reader, does not include -- nor did it ever include -- any NetBus or NetBus Pro software."
Note, this means not in pre-release, not in released, not in any Adobe software (that goes for Pagemill too!).
This means, to me, this has truly been a mis-detection by NAI and Adobe should be believed and trusted on this point.
Now before I get a flood of messages from you X-Files fans out there, listen up.
1.Adobe has never threatened me. Their PR schpiel could use some work, and they should learn better how to deal with privacy issues and technical
consumers, but I don't, and haven't, felt compelled to say or do anything.
2.I have believed, all along, that this was a mis-detection. When Jim sent me the email from [email protected], I was very suspicious. When I downloaded a
then current version of the pre-release and couldn't find a file called NETBUSPRO.DR in there anywhere, I scratched my head and wrote some things. All
along, however, I believed it would be borne out to be a mis-detection.
3.You guys, or those that responded to me directly (hundreds of you, thanks!), weren't so convinced. So my Adobe editorial reflected that skeptism and
doubt, mixed with the facts I had at hand.
4.For the die-hard conspiracy theorist amongst you, I have a copy of Jim's user's original download of the pre-release. Its 4.6MB zipped, and I won't send it
more than a couple of times, but if you can convince me its going to prove something for you to look at it, I'll pass it along.
There's a few lessons to be learnt here;
I.Anti-virus software will always mis-detect when they are based on signature "profiling".
II.AV Vendors should all have publicly accessible pages stating any and all mis-detections and should be updated immediately once a mis-detection is
confirmed. I don't think it matters what liability issues might be obstacles to such a page, the damage mis-detections can cause to individuals, corporations,
software distribution venues, as well as publishers, should be allayed by the AV Vendor who mis-detects.
I have had numerous reports from a variety of sources about the horror stories mis-detection has caused (and is still causing).
I don't think we need view mis-detections as a flaw in the AV software, since they're a fact of the way AV software works. Like Email hoaxes, such
spurrious incidents occur, and re-occur, and so should be stated somewhere for all to see.
One individual told me of how a mis-detection of a macro virus in a Word document led two partner companies to nearly dissolve their relationship because
of the insistance of both sides that they had the facts of the matter (virus or not virus).
III.If PR people are going to handle "rumors" such as this one with Adobe, they better know what they're talking about and whom they're talking to. Sarah,
from Adobe, meant to send a message to NTBugtraq but sent it to Bugtraq instead because "she got the names mixed up". Gee, I guess she hadn't read
any of the thread then, had she (or anyone in the PR side of Adobe). Next she send me a private unequivacol response to my explicit request for a
message to NTBugtraq...duh...
IV.It should be the responsibility of the AV Vendor to make all public statements about mis-detections, including coordinating with the "harmed" vendor and
making statements on their behalf. Where's NAI's public statement after all this time??? They must believe announcing they mis-detected something will
harm their share value...meanwhile Adobe is left hanging in the wind having to tell the world what NAI has said...without any public confirmation from NAI
themselves!!
Now Tim told me that our friend Vinnie, Vincent Gullotto, Manager of AV Researchers at AVERT, was "going to have a page put up soon". Well Tim, he told
me that too, last week...and we're still waiting.
Finally, many of you are probably wondering why I've spent any time on this, or what it has to do with NT Security in the first place...good question...;-]
Fact is, the original issue occured with 2 pieces of NT software, so its somewhat related to NT. More importantly, it was a test of the response mechanisms for the
companies involved. Think of it like those tests of the Early Warning System we used to get on TV.
As I told Tim;
a.Had the Adobe service rep., the one who responded to Jim's user's question about the detection, not said that a file called NETBUSPRO.DR was in the
Acrobat Reader package, none of this would ever have seen the light of day.
b.Had Adobe put up a publicly accessible page on 3/19, when they first knew, and had had confirmed by NAI, that McAfee VirusScan was mis-detecting,
none of this would ever have seen the light of day.
c.Had NAI responded to NTBugtraq when I asked them to, and they said they would, the issue would have been dead at that time.
d.Had Adobe's PR not put out the message they did, wherein they couldn't distinguish between a virus and a trojan, or between a malicious piece of code and
a commercial software package, and instead had said what they said later, the issue would have been dead.
They didn't, so the issue wouldn't die amongst you, and I kept getting messages making me say more and dig more.
All in all, Adobe's none too happy with my speculation and fact mix, NAI's probably not going to talk to me in the future (or for a while anyway), and I've annoyed
more than one of you with too many messages about this issue.
...sigh...the life of a moderator...;-]
Cheers,
Russ - NTBugtraq moderator
-------------------------------------------------------------------------------
http://www.adobe.com/supportservice/custsupport/SOLUTIONS/19bc6.htm
McAfee VirusScan 4.x Incorrectly Reports Virus in Ar40.exe or Ar40eng.exe
Document number 323180
Issue
McAfee VirusScan 4.x for Windows reports one or more of the following errors:
- "McAfee VShield: Virus found in download file!"
- "Downloaded File: AR40.ZIP -- Virus name: NetBusPro.dr -- McAfee suggests: You are trying to download or
transmit an infected file. Please delete this file and alert the Webmaster of the virus."
- "Infected File: AR40.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: This virus cannot be cleaned. Please
delete the file and restore it from your backup diskettes."
- "AR40.EXE -- Infected by: NetBusPro.dr (No Remover Available) -- Status: Infected"
- "Downloaded File: AR40ENG.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: You are trying to download
or transmit an infected file. Please delete this file and alert the Webmaster of the virus."
- "Infected File: AR40ENG.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: This virus cannot be cleaned.
Please delete the file and restore it from your backup diskettes."
- "AR40ENG.EXE -- Infected by: NetBusPro.dr (No Remover Available) -- Status: Infected"
Details
- You are downloading or have downloaded Adobe Acrobat Reader 4.0 Pre-Release for Windows (Ar40.exe) or Adobe
Acrobat Reader 4.0 for Windows (Ar40eng.exe).
- You're using McAfee virus definitions 4.0.4017 dated March 15, 1999.
Solution
Download and install virus definitions 4.0.4019 or later from the McAfee Web site at http://www.mcafee.com/. The virus
definitions 4.0.4019 are dated March 29, 1999.
Additional Information
Adobe software, such as Acrobat Reader, does not include -- nor did it ever include -- any NetBus or NetBus Pro
software.
McAfee VirusScan 4.x falsely reports the NetBusPro.dr virus when scanning Ar40.exe and Ar40eng.exe when using
virus definitions 4.0.4017. The virus alert is caused by an error in version 4.0.4017 of the virus definitions file distributed
by Network Associates -- it is not caused by a virus. This has been confirmed by Adobe Systems, Inc. as well as by
the virus lab at Network Associates. When you install virus definitions 4.0.4019, VirusScan 4.x does not report an error
with Ar40.exe or Ar40eng.exe.
All pre-release and release versions of Acrobat 4.0 Reader are free of known viruses. Adobe uses a variety of
anti-virus software in addition to McAfee VirusScan to thoroughly screen all software before it is publicly released.
Ar40.exe was released in February 1999. Before uploading it, Adobe used VirusScan 4.x with virus definitions 4.0.4014
dated February 18, 1999 to verify Ar40.exe was clear of viruses. Before uploading Ar40eng.exe, released in April 1999,
Adobe used VirusScan 4.x with virus definitions 4.0.4019 to verify Ar40eng.exe was clear of viruses.
For further inquiries regarding this issue, please contact Sarah Rosenbaum, Group Product Manager for Adobe Acrobat,
at [email protected].
Related Records:
Product:
Acrobat Reader
Platform:
Windows
Last Updated:
04/08/99
Filename:
19bc6.htm
MacAfee
Legal Notice for information contained in the Technical Solutions Database
THIS DATABASE AND THE DOCUMENTS INCLUDED THEREIN (COLLECTIVELY, THE "DATABASE") ARE PROVIDED FOR THE
CONVENIENCE AND PRIVATE, INTERNAL USE OF ADOBE'S CUSTOMERS ONLY. YOU MAY NOT COPY OR DISTRIBUTE ANY PORTION
OF THIS DATABASE FOR ANY PURPOSE, EXCEPT THAT YOU MAY MAKE ONE PRINTED COPY OF PORTIONS OF THIS DATABASE FOR
YOUR OWN PERSONAL, INTERNAL USE ONLY, PROVIDED THIS ENTIRE DISCLAIMER AND COPYRIGHT NOTICE IS INCLUDED ON
SUCH COPY.
THE USER OF THE INFORMATION PROVIDED IN THIS DATABASE ASSUMES ALL RISK OF ITS ACCURACY AND FOR ITS USE. THIS
DATABASE IS BEING PROVIDED "AS-IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT. ALL OTHER LIMITATIONS ON LIABILITY CONTAINED IN THE APPLICABLE SOFTWARE PRODUCT END USER
LICENSE AGREEMENT SHALL APPLY. ADOBE SYSTEMS INCORPORATED ASSUMES NO RESPONSIBILITY FOR ERRORS OR OMISSIONS
IN THE DATABASE. THIS DATABASE MAY INCLUDE TECHNICAL OR OTHER INACCURACIES OR TYPOGRAPHICAL ERRORS, AND
CHANGES MAY BE PERIODICALLY ADDED TO THE INFORMATION HEREIN.
ADOBE SYSTEMS INCORPORATED DOES NOT GUARANTEE THAT SOLUTIONS SUGGESTED IN THIS DATABASE WILL BE EFFECTIVE
IN THE USER'S PARTICULAR SITUATION. IF THE USER IS NOT FAMILIAR WITH ANY OF THE STEPS LISTED IN THE SOLUTION, ADOBE
ADVISES THAT THE USER DOES NOT PROCEED WITHOUT FIRST CONSULTING ADDITIONAL RESOURCES.
-------------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 14:33:59 -0400
From: Russ <[email protected]>
To: [email protected]
Subject: Adobe: Conclusion Part 2 - final
FYI: NAI now has a public web statement posted at:
http://www.avertlabs.com/public/datafiles/valerts/vinfo/ar40-info.asp
This closes the issue.
Cheers,
Russ - NTBugtraq moderator
[http://www.avertlabs.com/public/datafiles/valerts/vinfo/ar40-info.asp]
Network Associates certifies that Adobe software, such as Acrobat
Reader, does not contain, and never did contain, the NetBusPro Trojan.
Posted April 13, 1999
McAfee VirusScan 4.x falsely reported the NetBusPro.dr
trojan when scanning Ar40.exe and Ar40eng.exe pre-release
software when using virus definitions 4.0.4017. The virus alert
was caused because there was identifying code within Adobes
product that had a similar pattern as trojan known as NetBusPro.dr.
This has been confirmed by the virus lab at Network Associates,
Inc. and by Adobe Systems Incorporated. If you are experiencing
this problem <a href="http://www.avertlabs.com/public/datafiles/4xupdates.asp">
please upgrade your DAT to virus definitions to at least v4.0.4019</a>,
and all issues will be rectified.
Sincerely,
AVERT, A Division Of NAI Labs
`