- Jun 24, 2016
- 636
Macro Intruders: Sneaking Past Office Defenses-
INTRODUCTION
Macros have been used since the mid 1990s to spread malware and infect systems. Increased user awareness of the need to disable the macro function within Microsoft Word during the late 90s and early 2000s sent these malware into decline. However, a change in Microsoft (MS) Office file formats dating from 2007 is now being actively exploited to hide the presence of macros and distribute malware at an increasing rate.
In this article, I show how MS Office file formats are being abused and obfuscated, and the extent of distribution of macro malware.
WHAT DO YOU MEAN BY MACROS IN DOCUMENT FILES?
Microsoft Office offers Visual Basic for Applications as a fully functional programming language that can be embedded within files to provide task automation. This functionality was abused by self-propagating viruses, such as Melissa in the late 1990s, leveraging the power of macro functionality with the default behavior of execution.
Beginning with MS Office 2003, this behavior was curtailed with macro execution being disabled by default and GUI pop-ups informing users when macros are present. MS Office 2007 took a gigantic step forward in macro protection by having the default MS Word document file format unable to support macros. To achieve this, Microsoft introduced four separate file formats based on the OfficeOpen XML standard:
File Extension / File Type / Macros Permitted
DOCX / compressed document / No
DOTX / compressed template / No
DOCM / compressed document / Yes
DOTM / compressed template / Yes
Unlike Unix-based operating systems that inspect the file contents to determine the file type, MS Windows uses file extension, i.e. the characters following the list ‘.’ as the basis to determine which application will open a file when the file is clicked. When MS Office is installed, it associates itself with the above extensions. Thus, all of the the above file types will be opened by MS Word when clicked.
DOCX - THERE ARE NO MACROS HERE!
DOC files, used by MS Word prior to MS Office 2007 allowed numerous components, including macros, to be embedded within the document. Users couldn’t be certain that a document was safe before opening the file. The OfficeOpen XML (OOXML) standard integrated in MS Office 2007 removed this ambiguity. Each of these file formats are zip archives that include XML files according to a common layout.
The [Content_Types].xml component, found within the archive, provides the MIME type information for the other components within the file. Each of the four file formats supported by MS Word have unique MIME types. Only two, those associated with DOCM and DOTM, can save or run macros. If the Content_Types component asserts the MIME type for DOCX or DOTX then MS Word will not save or run macro code.
CAN I JUST RENAME MY DOCX TO DOCM TO ADD MACRO CODE?
One might reasonably ask if a DOCX can have macros added if the file is renamed to a DOCM. OOXML file formats are checked for filename extension - MIME type agreement, thus the answer is ‘No’.
When Microsoft Word begins to open a document the filename is checked to see if the document is an OOXML file. Opening a false DOCM file will cause an error popup due to incorrect MIME type for DOCX being found inside the file data.
File Extension / Mime Type
DOCX / application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml
DOCM / application/vnd.ms-word.document.macroEnabled.main+xml
DOTX / application/vnd.openxmlformats-officedocument.wordprocessingml.template.main+xml
DOTM / application/vnd.ms-word.template.macroEnabledTemplate.main+xml
SO OOXML DOCUMENTS WITH MACROS MUST BE NAMED DOCM?
In general, MS Word opens files based on the file data, not based on the file name extension. So long as MS Word can identify the data structure, it will open the file correctly. If a file is identified as a MS Office 2007 file, the file must internally present with the proper MIME type or it will cause a validation failure and the file will not open.
OOXML file types are validated by the MS Office component WWLIB.DLL, which confirms the MIME type of the file is as expected. When the file extension does not hint at a OOXML file type this step of validation always passes, even if the MIME type is actually OOXML. This means an OOXML document with macros included (DOCM or DOTM) will load successfully if it has a different filename extension. This is true even if OOXML files have non-OOXML file extensions, so long as MS Word is registered to handle the format.
Hence, DOCM files containing embedded macros can be disguised as other file formats by changing the file extension. For example, the RTF file format does not support MS Office macro code, but a DOCM file renamed to RTF will open within MS Office and can run embedded macro code. This tactic is currently being exploited in the wild.
Naive File Data Identification and OOXML
In May 2016, we started seeing samples send with DOC, RTF, and DOT extensions, although the underlying MIME type was actually application/vnd.ms-word.template.macroEnabledTemplate.main+xml, or DOTM. Naively identifying the file type programmatically revealed “Microsoft Word 2007+” , so they were executed as a DOCX file. These samples did not display their malicious behavior, they just caused pop-up error boxes.
WHY WOULD YOU TELL ME ALL THIS?
These Attacks are in the Wild
Talos has been tracking the appearance of these Macro-Enabled Templates (referred to in this section as DOTM) files and has seen a rapid increase in the deployment rate over the past months. We have collected every DOTM discovered between March 18 and July 13 and inspected the macro payload. The analysis revealed a pattern of machine obfuscated macros being reused across the documents.
Once the collision was discovered, the macro collisions occurring in at least four distinct DOTM files were pulled out for further inspection. This accounted for a whopping 64% of all DOTMs discovered over a four month period.
Continue reading at the link at the top of the page
INTRODUCTION
Macros have been used since the mid 1990s to spread malware and infect systems. Increased user awareness of the need to disable the macro function within Microsoft Word during the late 90s and early 2000s sent these malware into decline. However, a change in Microsoft (MS) Office file formats dating from 2007 is now being actively exploited to hide the presence of macros and distribute malware at an increasing rate.
In this article, I show how MS Office file formats are being abused and obfuscated, and the extent of distribution of macro malware.
WHAT DO YOU MEAN BY MACROS IN DOCUMENT FILES?
Microsoft Office offers Visual Basic for Applications as a fully functional programming language that can be embedded within files to provide task automation. This functionality was abused by self-propagating viruses, such as Melissa in the late 1990s, leveraging the power of macro functionality with the default behavior of execution.
Beginning with MS Office 2003, this behavior was curtailed with macro execution being disabled by default and GUI pop-ups informing users when macros are present. MS Office 2007 took a gigantic step forward in macro protection by having the default MS Word document file format unable to support macros. To achieve this, Microsoft introduced four separate file formats based on the OfficeOpen XML standard:
File Extension / File Type / Macros Permitted
DOCX / compressed document / No
DOTX / compressed template / No
DOCM / compressed document / Yes
DOTM / compressed template / Yes
Unlike Unix-based operating systems that inspect the file contents to determine the file type, MS Windows uses file extension, i.e. the characters following the list ‘.’ as the basis to determine which application will open a file when the file is clicked. When MS Office is installed, it associates itself with the above extensions. Thus, all of the the above file types will be opened by MS Word when clicked.
DOCX - THERE ARE NO MACROS HERE!
DOC files, used by MS Word prior to MS Office 2007 allowed numerous components, including macros, to be embedded within the document. Users couldn’t be certain that a document was safe before opening the file. The OfficeOpen XML (OOXML) standard integrated in MS Office 2007 removed this ambiguity. Each of these file formats are zip archives that include XML files according to a common layout.
The [Content_Types].xml component, found within the archive, provides the MIME type information for the other components within the file. Each of the four file formats supported by MS Word have unique MIME types. Only two, those associated with DOCM and DOTM, can save or run macros. If the Content_Types component asserts the MIME type for DOCX or DOTX then MS Word will not save or run macro code.
CAN I JUST RENAME MY DOCX TO DOCM TO ADD MACRO CODE?
One might reasonably ask if a DOCX can have macros added if the file is renamed to a DOCM. OOXML file formats are checked for filename extension - MIME type agreement, thus the answer is ‘No’.
When Microsoft Word begins to open a document the filename is checked to see if the document is an OOXML file. Opening a false DOCM file will cause an error popup due to incorrect MIME type for DOCX being found inside the file data.
File Extension / Mime Type
DOCX / application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml
DOCM / application/vnd.ms-word.document.macroEnabled.main+xml
DOTX / application/vnd.openxmlformats-officedocument.wordprocessingml.template.main+xml
DOTM / application/vnd.ms-word.template.macroEnabledTemplate.main+xml
SO OOXML DOCUMENTS WITH MACROS MUST BE NAMED DOCM?
In general, MS Word opens files based on the file data, not based on the file name extension. So long as MS Word can identify the data structure, it will open the file correctly. If a file is identified as a MS Office 2007 file, the file must internally present with the proper MIME type or it will cause a validation failure and the file will not open.
OOXML file types are validated by the MS Office component WWLIB.DLL, which confirms the MIME type of the file is as expected. When the file extension does not hint at a OOXML file type this step of validation always passes, even if the MIME type is actually OOXML. This means an OOXML document with macros included (DOCM or DOTM) will load successfully if it has a different filename extension. This is true even if OOXML files have non-OOXML file extensions, so long as MS Word is registered to handle the format.
Hence, DOCM files containing embedded macros can be disguised as other file formats by changing the file extension. For example, the RTF file format does not support MS Office macro code, but a DOCM file renamed to RTF will open within MS Office and can run embedded macro code. This tactic is currently being exploited in the wild.
Naive File Data Identification and OOXML
In May 2016, we started seeing samples send with DOC, RTF, and DOT extensions, although the underlying MIME type was actually application/vnd.ms-word.template.macroEnabledTemplate.main+xml, or DOTM. Naively identifying the file type programmatically revealed “Microsoft Word 2007+” , so they were executed as a DOCX file. These samples did not display their malicious behavior, they just caused pop-up error boxes.
WHY WOULD YOU TELL ME ALL THIS?
These Attacks are in the Wild
Talos has been tracking the appearance of these Macro-Enabled Templates (referred to in this section as DOTM) files and has seen a rapid increase in the deployment rate over the past months. We have collected every DOTM discovered between March 18 and July 13 and inspected the macro payload. The analysis revealed a pattern of machine obfuscated macros being reused across the documents.
Once the collision was discovered, the macro collisions occurring in at least four distinct DOTM files were pulled out for further inspection. This accounted for a whopping 64% of all DOTMs discovered over a four month period.
Continue reading at the link at the top of the page
