Rise of predatory, parasitic spambooks


Somewhere in the future, a desperate group of authors is storming a fortress laboratory, hoping against hope that one of their number can travel back in time and rub out Charlie before he writes that essay, which history records as the key meme in the origin of BookNet.


My dead-tree books are not Turing-complete.


I know what I’m doing for NaNoWriMo, and it’s not going to be sitting in a coffee house furiously typing out a novel.

It’s going to be sitting in a coffee house furiously coding a Markov-chain book generator.

Oooh, the output of which is so enigmatic that a super-rich barely-human entity hires a down-on-their-luck young person with just the right skill set to find the author.

Man, this stuff writes itself!


Is there code in an ebook? Can you hide a virus in something that isn’t executable? It would rather be like putting a virus in a jpg. You can certainly hide code in an image but it is inert until something executes it, and as far as I know all the execution happens in the ereader on its own software.


Of course Charlie was inspired to write it by a chance encounter he had with a strangely dressed attacker who babbled about sentient e-books or some such nonsense before he was subdued by a nearby bobby and dragged off to the madhouse.

As Charlie says in the essay, “An epub ebook file is essentially an HTML5 file, encapsulated with descriptive metadata and an optional DRM layer. The latest draft standard includes support for all aspects of HTML5 including JavaScript.” (emphasis mine)


Ironically, an exploit was discovered and patched around…2004?..that potentially allowed maliciously-engineered JPGs to cause a buffer overflow and execute code on Windows.

I take your point, though.


Only organically authored, locally written ebooks from now on.


Did anyone else see the picture and thing, “RAh-men!”
(May your weekend find you touched by his noodly appendage.)


No, but their reader is- just like the ebooks.

You’ll need a cape.

Ugh, whose bright idea was it to allow Javascript in books? I mean, in theory the reader’s sandbox should prevent any scripts from doing anything malicious, but there always seem to be JS exploits going round that can break out of that.


I get a feeling that using JavaScript in e-books will not take off, as most readers will have it turned off by default. The other factor working against JavaScript in books is that most authors when wanting that level of control will hire someone to make it into a free standing app, or be forced to accept the sandbox that the hardware enforces.

After all, a lot of malware needs to be attuned to the hardware and OS. Malware that works on Windows does not work on Mac OS X or Linux, malware that infects Firefox will not infect Chrome or Internet Explorer. And the rise of “trusted sources” such as the iTunes Store and Amazon’s Kindle store means that most readers won’t encounter malware-infected books when they do show up.

That isn’t to day that there won’t be malware infections, but to stick to the infection metaphor, deadly epidemics are actually pretty rare. The diseases that stick with us are not the sort that kill off their hosts, and so I suspect that destructive malware will remain at the edge, as long as our “immune system” remains healthy.

1 Like


Sadly, aside from the described behavior, malicious software inside of PDF (Portable Document Format) files is quite common. PDF is used for far more things than reading static e-books or files, though; it’s a document format often used for various workflow processing systems, and as a result has a complete JavaScript implementation in it. While that’s most often used for the legitimate purpose of allowing users to enter information into forms (typing your information into tax forms, etc.), the JavaScript component is quite often used by malware authors for a number of activities.

If memory serves, besides Adobe Reader, a JavaScript parser also appears in Foxit Reader, Nitro PDF Reader and Nuance PDF Reader. Adobe Reader also has a Flash player embedded in it, which opens up another potential attack vector.


Why would book viruses be focused on book issues like fake reviews just because they originate from e-pub formats? Seems to me that’s assuming the means of transmission is tied to the purpose of the malware. Even with Charlie’s comments on the growing competition for reader eyeballs, those seem to be some pretty arcane and specialized uses for viruses to focus on. It would seem more likely book viruses will just be run of the mill type that seek to go where the real money is—compromising your financial account/password info, or zombifying your device and sending out spam.

1 Like

You seem to be thinking of books as novels or static texts.

Try instead to consider text books: an organic chemistry text that incorporates a molecular modelling and visualization package so the student can bang two molecules together and see how they fit. Or a maths textbook that includes enough smarts to allow the student to tackle problems and test the answers. Or a cookbook where you can enter the number of people who a recipe is for and have the ingredient quantities recalculated automatically. Or a programming language tutorial that incorporates an editor/debugger and a language interpreter so that the code examples not only work but are editable by the reader.

There are tons of uses for Javascript and dynamic content in ebooks: we’ve barely scraped the surface so far.


Are we still doing unicorn chasers? That pic is nasty!

1 Like

No capes!!!

1 Like

There are however a great many books in which such dynamic content will hardly be necessary. I think they should just make it a separate format entirely – call it “dpub” or somthing – and let people who have no interest in such content keep it far away.

After all this time, after the whole mess with MS Office macro viruses and self-running E-mail attachments and drive-by ActiveX downloads, have people learned nothing ?