[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1ec620e90612071621i4cb567c1l928b02d3518bdf80@mail.gmail.com>
Date: Thu, 7 Dec 2006 16:21:23 -0800
From: "Robert Kim Wireless Internet Advisor" <evdo.hsdpa@...il.com>
To: "Jan P. Monsch" <jan.monsch@...osion.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Some Thoughts about Office Open XML and
Malware Detection
Jan,
Does full-disclosure need a digg.com style social news and voting
site? lemme know.. i'd be happy to build one for your community.
see: http://digg.com and
http://wimax-coverage.com
and
http://iptv-coverage.com
On 12/7/06, Jan P. Monsch <jan.monsch@...osion.com> wrote:
> Hi
>
> Last week I have been googling around for comments and reactions from my
> report "Malware Detection Rate in Alternative Word Formats"
> (http://www.iplosion.com/archives/3) which was posted in the ISC diary on
> August 23rd, 2006 (http://isc.sans.org/diary.php?storyid=1630). To sum it up
> there has not been a lot of reactions in magazines or the like but it got at
> least the attention of the malware research community.
>
> There is this very interesting follow-up article from Christoph Alme in the
> October 2006 edition of the Virus Bulletin. The two page article "Scanning
> Embedded Objects in Word XML Files"
> (http://www.securecomputing.com/pdf/CAlme_VBOct06.pdf) which elaborates how
> AV products can identify embedded objects in Word XML files. He shows that
> XML documents can be manipulated slightly, within the flexibility offered in
> the XML standard, and still are considered valid Word documents. Using the
> same VirusTotal-based testing method as I did, he demonstrates that all
> existing AV products can be bypassed. As you might remember my initial paper
> there were only three AV products capable of finding embedded malware in my
> run-of-the-mill XML documents.
>
> So what does this tell us: The most likely reason is that these three virus
> scanners do not really understand XML document format. They most likely have
> no XML parser integrated or the parser only implements the XML standard
> partially. This once again melts down to the conclusion that the decoding
> capability is the name of the game.
>
> Now let us speculate that AV products will integrate a complete
> off-the-shelf XML parser. Will this help? Well it will help to properly
> decode XML documents but it will most likely introduce new vulnerabilities
> in AV products so far unheard of. (Actually the motivation I am writing this
> article is to prevent AV vendors to release such broken products). Let us
> take XML external DTD references as an example. If the XML parsers are used
> in default configuration or are not configured properly, scanning an XML
> with an external reference will result in requests to external sites. That
> is nice. This would allow an attacker to track malware distribution or
> download additional exploit files to the scanning system.
>
> With the release of Office 2007 a couple of days ago, which will have the
> Office Open XML format as standard storage format, the urge for XML enabled
> AV products will grow. My retesting today shows that the detection rate of
> Netsky as an embedded object in a Office 2003 Word XML is still at the same
> level as 3 months ago. I fear that the AV industry is not quite yet ready to
> protect their customers against XML delivered attacks.
>
> Kind regards
> Jan P. Monsch
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Robert Q Kim, Wireless Internet Provider
http://evdo-coverage.com/satellite-wireless-internet.html
http://evdo-coverage.com
2611 S. Pacific Coast Highway 101
Suite 203
Cardiff by the Sea, CA 92007
206 984 0880
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists