Saturday, June 23, 2007

Eye on malicious Office files

SANS-ISC had a post two weeks ago reminding readers about malicious Office files as a vector for system infection: Investigating and responding to suspicious Office files

The Office Problem

We all should know by now the danger of opening any unsolicited Office file that we get via email.  Office files themselves can be seeded with dangerous macros, and "regular" executable files can simply be renamed with a seemingly innocent ".doc, .xls, or .pps" file extension. When the recipient gets one of these via the inter-office email system, some might let their guard down and open it directly up. Thus a new trojan, virus or worm is born into a corporate or home system.

Hopefully, users are already under the protection of an enterprise-class anti-virus email scanning system on their mail servers.  This can also be mitigated further by running additional anti-virus software on the client workstations and setting the software to scan on file execution.

Per the SANS-ISC post, the approaches anti-virus vendors take to vary from scans for specific "payloaded" Office files to scans only when the infected code is executed.

I Spy...

Sysadmins and other support staff who have to contend with these files may want to consider looking for original "payloaded" files in a user's local email store if an infection has occurred recently on the system.

Besides scanning the system with the usual anti-virus tools, review any recently received attachment files.  Depending on the email system and company policy, you might need to extract them from the email client and save them to another location...say a temporary folder on the user's hard drive or...even better...a specially marked USB stick used just for potentially infected files.

Once extracted, the files should be scanned again with the anti-virus engine used by your organization.

You might also want to manually inspect the file structure as well of each file, just to very if it is a legit Office file or not.

Tools for the Responder

Some Windows compatible tools mentioned in the SANS-ISC post that can assist you with this inspection are:

OfficeCat (freeware) - "OfficeCat is a command line utility that can be used to process Microsoft Office Documents for the presence of potential exploit conditions in the file.  The tool is used on Windows systems and is provided as a binary executable."

STG: MFC Docfile Viewer (freeware) - "The STG application demonstrates how to browse OLE Structured Storage Files (DocFiles) using an MFC application. The application uses the CTreeView class to visually represent the structured storage."  This is a Microsoft utility that lets you peer into the structure of a doc file to see if you can validate it as a true doc file or if it comes up "hinky".

Microsoft Office Isolated Conversion Environment (Microsoft) - Also known as MOICE.  This tool works with Microsoft Office 2003 and 2007.  Once installed on a system, it converts "...the Office binary format files into the Office Open XML format. This process helps remove the potential threat that may exist if the document is opened in the binary format. Additionally, MOICE converts incoming files in an isolated environment. This helps protect the computer from a potential threat." 

It might not be a bad idea to consider adding this to high-volume email source points such as administrative assistants or other key organizational staff who receive and send Office documents from many inside and outside sources and users.  By increasing the document security processing level at a key distribution location in an organization, the impact of a vectored attack may be mitigated.

FileAlyzer (freeware) - This utility from the creators of Spybot Search and Destroy alloys you to select a target file then view the following information about it: general properties, version, embedded resources (bitmaps, icons, etc.), PE headers if present, section structures, hex dump data, image preview, text preview, ini contents, html preview, zip preview, (limited) database previews, media previews, and a few more things.  I use it often to get a first look at suspicious files that don't generate an "alert" in anti-virus/anti-malware programs.

HexView (freeware) - A tiny and simple little application that displays and prints any file as a hex-dump.  No bells and whistles.  Just pure and simple quick hex view.

One of my favorites is getting very hard to find in the Tubes: BinText is a freeware file to hex investigation tool written by Robert Keir.  It has since be passed on to Foundstone, but I am now unable to locate it on the Foundstone tools page.  There seem to be some download sites that claim to have it via a Google search...proceed with caution on the legitimacy of these sites and files. I'm glad I kept a copy around in my archives.

Strings v2.40 (freeware) - A Microsoft "Sysinternals" program.  "Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters."

Strings at a Glance and Say "Hello" to Didier!

One final blog post I found interesting while searching for the elusive "BinText" file was Didier Stevens post Viewing strings in executables.  Very quick but useful primer on strings in executable files.

Didier's blog was quite fascinating and had some great forensics-related posts.  I've added it to my RSS feed list!


No comments: