SBN

Some Thoughts about Office Open XML and Malware Detection

Last week I have been googling around for comments and reactions from my report Malware Detection Rate in Alternative Word Formats which was posted in the ISC diary on August 23rd, 2006. To sum it up there has not been a lot of reactions in magazines or the like but it got at least the attention of the malware research community.
There is this very interesting follow-up article from Christoph Alme in the October 2006 edition of the Virus Bulletin. The two page article Scanning Embedded Objects in Word XML Files which elaborates how AV products can identify embedded objects in Word XML files. He shows that XML documents can be manipulated slightly, within the flexibility offered in the XML standard, and still are considered valid Word documents. Using the same VirusTotal-based testing method as I did, he demonstrates that all existing AV products can be bypassed. As you might remember my initial paper there were only three AV products capable of finding embedded malware in my run-of-the-mill XML documents.

So what does this tell us: The most likely reason is that these three virus scanners do not really understand XML document format. They most likely have no XML parser integrated or the parser only implements the XML standard partially. This once again melts down to the conclusion that the decoding capability is the name of the game.

Now let us speculate that AV products will integrate a complete off-the-shelf XML parser. Will this help? Well it will help to properly decode XML documents but it will most likely introduce new vulnerabilities in AV products so far unheard of. (Actually the motivation I am writing this article is to prevent AV vendors to release such broken products). Let us take XML external DTD references as an example. If the XML parsers are used in default configuration or are not configured properly, scanning an XML with an external reference will result in requests to external sites. That is nice. This would allow an attacker to track malware distribution or download additional exploit files to the scanning system.

With the release of Office 2007 a couple of days ago, which will have the Office Open XML format as standard storage format, the urge for XML enabled AV products will grow. My retesting today shows that the detection rate of Netsky as an embedded object in a Office 2003 Word XML is still at the same level as 3 months ago. I fear that the AV industry is not quite yet ready to protect their customers against XML delivered attacks.

*** This is a Security Bloggers Network syndicated blog from iplosion security authored by jan.monsch. Read the original post at: http://www.iplosion.com/archives/48