According to Vinoo Thomas of McAfee Avert Labs, there were numerous submissions of late consisting of executable files embedded within Rich Text Files as OLE objects.
In Rich Text Malware, Thomas shows how a malware could be secreted into a RTF file as a standard embedded object using nothing more than Windows WordPad.
His incredulity stems from the fact that out of 30 different antivirus scanners that he did a trial on using VirusTotal, a public antivirus scanning service, only 16 of them handled RTF correctly and detected the presence of his embedded EICAR test file. This is despite the fact that such RTF trickery is not considered particularly cutting-edge to say the least.
Still, I believe that any “real-time” or “on access” module of a good antivirus scanner would still have been able to have a go at the embedded file prior to actual execution. Personally, my real concern resides with what comes next.
With just some touches from Object Packager, the name of the embedded executable file can actually be renamed from say, clickme.exe to clickme.txt. According to Larry Seltzer of PCMag.com in his own tests (A Long-Ignored Vulnerability: RTF Files), only WordPad on Vista steadfastly showed the full filename for the executable that it was.
Whatever the case, a hapless user double-clicking on the embedded object will cause the program to execute. Only Vista and Windows SP2 actually showed a warning and offered the option to abort. Earlier versions of Windows simply ran the application, and potential malware, with no further notice.
Now, it is generally accepted that security is a multi-layered approach. Among one of the key tenants of this philosophy would be user education in the context of adherence to best practices (some of us call it common sense) and awareness of social engineering attempts.
It is all very well and simple to teach about “not clicking on EXE” files or “downloading any programs without permission.” Unfortunately, new attack vectors like the above makes it increasingly harder to properly educate your average well-meaning, but non-technical users.
Do you have any suggestions on how to get your users to attain a satisfactory level of secure computing? Join the discussion.