United States
Live worldwide spam monitor detects outbreaks as they occur. See what's swarming.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Unsolicited "benign" documents can carry embedded malware

Last week, two people I work with asked me about suspicious emails they received. The two emails looked quite different. However, they both used a similar trick to try and entice my co-workers into installing malware. Specifically, they both embedded their malicious executable into seemingly benign documents.

One of the emails contained a Rich Text Format (.RTF) document while the other had a standard Word (.DOC) document. If you opened either document, you'd see a bit of text asking you to double-click an icon. In one case the icon looked like a PDF file; in the other, it looked like a ZIP file. But in both cases, the icons hid a malicious executable file that installed a trojan or keylogger.

This little embedded executable trick isn't really new, but it seems to be making a comeback. Attackers use a legitimate Microsoft tool called Object Packager to embed malicious content into documents. This trick helps attackers in at least three ways:

  1. Many people trust Word and RTF documents and don't expect them to contain malware so they are more likely to interact with these documents, even when they arrive from unknown sources.
  2. Administrators usually don't block these types of documents since users need them. Malware hiding in documents usually makes it past firewalls and gateway content-filters.
  3. Finally, many antivirus (AV) products have trouble spotting malware embedded in some types of documents (see this Mcafee post about malware in RTF files).

I have been seeing a lot more malware delivered using this document embedding trick. Since the trick allows malware to sneak past many AV filters, its up to your users to defend themselves against this type of attack. I suggest you inform them that attackers can embed malware into documents. Even a user with no technical understanding can grasp these two tips: 1) Avoid opening unsolicited documents; 2) If you do happen to open a suspicious document, never double click on any icons within it without first verifying the authenticity of the document with its alleged sender. -- Corey Nachreiner, CISSP

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.