Alternative Word Formats

Discussion in 'NOD32 version 2 Forum' started by minerat, Aug 23, 2006.

Thread Status:
Not open for further replies.
  1. minerat

    minerat Registered Member

    Joined:
    Oct 21, 2005
    Posts:
    14
    http://isc.sans.org/diary.php?storyid=1630

    Discusses embedding an eicar test file inside of a word doc and saving it in different formats. Multiple vendors flag the resulting file, but NOD32 does not. I'm unsure exactly how this payload would get executed, but if it was being transferred by malware, it certainly appears to be a vector that wouldn't raise any flags even with known bad code.

    I tested with .doc & xml, confirming that the eicar test string was embedded in the files and it passed through on demand scanner without any problems. This kind of obfuscation seems all the more pertinent in light of - http://isc.sans.org/diary.php?storyid=1617
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Interesting, but I don't see that it's a problem.

    Thanks for the article and the link. :)

    Cheers :)
     
  3. minerat

    minerat Registered Member

    Joined:
    Oct 21, 2005
    Posts:
    14
    I don't know about that. Given the recent flaws in various ms office applications allowing for the execution of embedded content, shouldn't NOD32 at least be able to detect known bad code embedded inside of office documents before it is opened and the payload executes?

    Security Focus has a decent writeup about the office flaws.
    http://www.securityfocus.com/infocus/1874
     
  4. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Maybe it would be different if the eicar string was configured in the document so as to execute by taking advantage of one of the vulnerabilities when the document was accessed. Until the eicar string is in an executable state it is just a string of ascii characters in a file that does nothing. There's one good reason for it not being detected by NOD32 right there.

    Can anybody see the posts recently that mentioned NOD32 covering these MS vulnerabilities?
    If I can find them I'll link to them here.

    EDIT: here's two of them here and here
    Here's one covering the WMF vulnerability which is related - there's more going back further covering pretty much everything.

    Don't forget that just because others choose to add the capability of certain detections (such as eicar or similar in a non-functional state inside a word document) that doens't mean the detection is necessary for your protection with NOD32.

    And thanks for the link to the Security Focus article - they do go into a lot of detail :)

    Cheers :)
     
    Last edited: Aug 24, 2006
  5. minerat

    minerat Registered Member

    Joined:
    Oct 21, 2005
    Posts:
    14
    Regarding your first point about it not being in an executable state - NOD32 detects the string in a simple text file. It's not in an executable state there, yet it's flagged.

    I wasn't clear in my initial post, but my test was with the dos executable version of the eicar test file as an embedded object in word. That still isn't detected. Amon flags it when executed, but DMON & IMON/EMON (depending on how the file was received) should catch it as well. It's conceivable someone could unknowingly pass the an infected document on via email if they never opened it.

    Good on the other links, I wasn't aware of the generic proactive patch. I'm curious as to whether it protects from this whole class of vulnerabilities that seem to be popping up or was just any implementation of the specific vulnerability.
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I understand now but in your test file it lacks a mechanism to trigger execution which I believe would be detected proactively, or the file must first be extracted in which case it is definately detected
    I beleive the purpose of it is to cover the whole class since there are a limited number of mechanisms by which they can be implemented. Still it is not impossible that there would be some way that is not presently detected, which would be added with the appropriate priority once it became known.

    Cheers :)
     
Thread Status:
Not open for further replies.