In this section

• Home
• Security
• SophosLabs blog
• 2007
• 10

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

10 October 2007 07:58 GMT

Office Exploit And Friends

Malware writers have always jumped at the chance to package malicious code in a way that doesn’t attract attention - it’s why we labelled them Trojans. Microsoft Office documents were favourite attack vectors in the mid-90’s due to a design flaw in the way macros were handled, and for years these were exploited in many ways.

Not so long ago, some critical vulnerabilities were found in various versions of the popular Office suite of applications, such as Word, Excel and Powerpoint. These bugs enabled malware authors to embed malicious code into documents, spreadsheets etc. In many instances, whole pieces of malware could be dropped and executed without the user’s knowledge, simply by opening the malicious document in an Office application.

Once again, the humble Office document is turning into a favourite amongst malware authors.

Attackers love these kinds of exploits because they are hard to detect, they look innocent and they can hold all kinds of nasty surprises.

Due to the complexity of the exploits required to execute these kinds of attack, most exploited documents will contain only one or two files. The exploited document I looked at today was no exception, however it did have an interesting twist. It drops a single piece of malware which is mated to the exploited document; when run, it searches the user’s system until it finds the document it originated from and then extracts three more pieces of malware from the document.

That's a total of four separate pieces of malware from one document. These other nasties are identified as: Troj/AntiHIP-A, Troj/AntiHIP-B, Troj/DDrop-C and Troj/KillAV-EB.

Collectively, they attempt to interfere with anti-virus applications and attempt to steal information.

Perhaps due to our stronger, more resilient anti-virus technologies, attackers are trying to pack more pieces of malware into a single file in an attempt to win through via sheer numbers. If safety is your concern (and it should be) , make sure any Office applications you have are updated and patched.

Chris Mitchell, SophosLabs Australia.

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot