Printers

Yet another vector for malware


According to Vinoo Thomas of McAfee Avert Labs, there were numerous submissions of late consisting of executable files embedded within Rich Text Files as OLE objects.

In Rich Text Malware, Thomas shows how a malware could be secreted into a RTF file as a standard embedded object using nothing more than Windows WordPad.

His incredulity stems from the fact that out of 30 different antivirus scanners that he did a trial on using VirusTotal, a public antivirus scanning service, only 16 of them handled RTF correctly and detected the presence of his embedded EICAR test file. This is despite the fact that such RTF trickery is not considered particularly cutting-edge to say the least.

Still, I believe that any “real-time” or “on access” module of a good antivirus scanner would still have been able to have a go at the embedded file prior to actual execution. Personally, my real concern resides with what comes next.

With just some touches from Object Packager, the name of the embedded executable file can actually be renamed from say, clickme.exe to clickme.txt. According to Larry Seltzer of PCMag.com in his own tests (A Long-Ignored Vulnerability: RTF Files), only WordPad on Vista steadfastly showed the full filename for the executable that it was.

Whatever the case, a hapless user double-clicking on the embedded object will cause the program to execute. Only Vista and Windows SP2 actually showed a warning and offered the option to abort. Earlier versions of Windows simply ran the application, and potential malware, with no further notice.

Now, it is generally accepted that security is a multi-layered approach. Among one of the key tenants of this philosophy would be user education in the context of adherence to best practices (some of us call it common sense) and awareness of social engineering attempts.

It is all very well and simple to teach about “not clicking on EXE” files or “downloading any programs without permission.” Unfortunately, new attack vectors like the above makes it increasingly harder to properly educate your average well-meaning, but non-technical users.

Do you have any suggestions on how to get your users to attain a satisfactory level of secure computing? Join the discussion.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

8 comments
paulmah
paulmah

Do you have any suggestions on how to get your users to attain a satisfactory level of secure computing?

apotheon
apotheon

plain text

apotheon
apotheon

Use a computing environment that doesn't auto-execute everything it touches.

paulmah
paulmah

I took the original article with a huge pinch of salt, mainly because it originated from a well-known AV vendor! However, I think in this case, the point of using VirusTotal would be to illustrate the fact that many of the virus scanners do not scan embedded objects in RTF files by default. But even then, the main problem is not so much that, but the way many versions of Windows allow embedded executables to be run by double-clicking.

grax
grax

I had checked their site from the link that you originally provided. That, in itself, was worth the effort. I didn't find the list of products used, but did find this: http://blog.hispasec.com/virustotal/22 It just goes to show that one shouldn't believe everything that appears on the WWW.

TechExec2
TechExec2

. A more accurate statement would read: [i]"...[This only affects Windows. Out of the various versions of Windows,] only Vista and Windows SP2 actually showed a warning and offered the option to abort. [The rest of them were silent and jumped at the chance to run another malware attack! Yahoo!].."[/i] Just having a little fun... :^0 P.S. How about that Maria Sharapova?!

grax
grax

The original piece stated: "Only Vista and Windows SP2 actually showed a warning and offered the option to abort." This leads to the obvious conclusion that all other Operating Systems failed. Or perhaps they didn't bother trying out MacOSX or that other thing. What's it called? Something ending in "X"! (Just kidding.) It would also be nice to know which of the 30 AV programs failed. I didn't realise that there are so many to start with. Wow.