Paul Baccas Independent researcher
Vanja Svajcer Sophos
Over the last few years, Microsoft Office viruses have become a thing of the past and now we generally see Office files as a delivery method for targeted attacks via vulnerabilities. File format features make obfuscating these targeted attacks easy, and detecting them hard.
Targeted attacks like 'Red October' and 'FakeM' relied on three different kinds of Microsoft vulnerabilities. Two of them, CVE-2009-3129 and CVE-2010-3333, posed challenges for detection development and have been discussed previously. However, the third, CVE-2012-0158, is quite different. The exploit itself could be in either a Word or an Excel document, but the delivery method could be a Word, Excel or, more commonly, RTF file. Digging through this complexity requires a strong understanding of RTF and OLE2, as well as all points in between.
This paper will document some pitfalls of the file formats that make detection problematic, with particular attention placed on the small percentage (less than 1%) of CVE-2012-0158 associated with high-profile attacks.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.
