Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] Some Thoughts about Office Open XML and Malware Detection
From: Robert Kim Wireless Internet Advisor (evdo.hsdpagmail.com)
Date: Thu Dec 07 2006 - 18:21:23 CST
Does full-disclosure need a digg.com style social news and voting
site? lemme know.. i'd be happy to build one for your community.
see: http://digg.com and
On 12/7/06, Jan P. Monsch <jan.monschiplosion.com> wrote:
> Last week I have been googling around for comments and reactions from my
> report "Malware Detection Rate in Alternative Word Formats"
> (http://www.iplosion.com/archives/3) which was posted in the ISC diary on
> August 23rd, 2006 (http://isc.sans.org/diary.php?storyid=1630). To sum it up
> there has not been a lot of reactions in magazines or the like but it got at
> least the attention of the malware research community.
> There is this very interesting follow-up article from Christoph Alme in the
> October 2006 edition of the Virus Bulletin. The two page article "Scanning
> Embedded Objects in Word XML Files"
> (http://www.securecomputing.com/pdf/CAlme_VBOct06.pdf) which elaborates how
> AV products can identify embedded objects in Word XML files. He shows that
> XML documents can be manipulated slightly, within the flexibility offered in
> the XML standard, and still are considered valid Word documents. Using the
> same VirusTotal-based testing method as I did, he demonstrates that all
> existing AV products can be bypassed. As you might remember my initial paper
> there were only three AV products capable of finding embedded malware in my
> run-of-the-mill XML documents.
> So what does this tell us: The most likely reason is that these three virus
> scanners do not really understand XML document format. They most likely have
> no XML parser integrated or the parser only implements the XML standard
> partially. This once again melts down to the conclusion that the decoding
> capability is the name of the game.
> Now let us speculate that AV products will integrate a complete
> off-the-shelf XML parser. Will this help? Well it will help to properly
> decode XML documents but it will most likely introduce new vulnerabilities
> in AV products so far unheard of. (Actually the motivation I am writing this
> article is to prevent AV vendors to release such broken products). Let us
> take XML external DTD references as an example. If the XML parsers are used
> in default configuration or are not configured properly, scanning an XML
> with an external reference will result in requests to external sites. That
> is nice. This would allow an attacker to track malware distribution or
> download additional exploit files to the scanning system.
> With the release of Office 2007 a couple of days ago, which will have the
> Office Open XML format as standard storage format, the urge for XML enabled
> AV products will grow. My retesting today shows that the detection rate of
> Netsky as an embedded object in a Office 2003 Word XML is still at the same
> level as 3 months ago. I fear that the AV industry is not quite yet ready to
> protect their customers against XML delivered attacks.
> Kind regards
> Jan P. Monsch
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Robert Q Kim, Wireless Internet Provider
2611 S. Pacific Coast Highway 101
Cardiff by the Sea, CA 92007
206 984 0880
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/