I know, you’re waiting anxiously to read the next part of the “Advanced Enterprise Detection Capabilities” mini series... This post is going to be a quick deviation (although somewhat related as the topic is about a specific detection capability) as timing is semi relevant. Don’t worry though, I will continue the exciting series after this quick post.
This post is going to be a quick and dirty “Did You Know” [you had detections for the MS Office XML format packaged TIFF exploit before the exploit ever left the authors mailbox]? Very few, if any, antivirus solutions (at least that I know of) had detections for the MS Office XML format (Office version 2007 and newer formatted files) packaged exploit. I have a couple of variants that were all ‘detected’ with this tool. So you ask, “How did I already have detections?” Well, there is this tool called OfficeMalScanner written by Frank Boldewin. This tool was initially written to parse MS Office OLE format (Office version 2003 and older formatted files) files to scan for malicious traces, like shellcode heuristics, PE files or embedded OLE streams. One of the lesser known or used capabilities of this tool is the signature detection capabilities of binary and PE files. So let's learn a little bit about it.
Below are the quick steps I went through that allowed me to detect or identify a file that (after additional in depth analysis) was malicious (realizing that AV software did not detect this file as malicious). It’s important to note that I am not going to analyze the shellcode or the exploit details, but instead, identify the detection that OfficeMalScanner alerted on with this file.
The file that we will analyze with OfficeMalScanner is a Microsoft Office XML (.docx) formatted document exploiting CVE-2013-3906. The filename is "IMEI.docx" with an MD5 hash of b44359628d7b03b68b41b4536314083.
The first command you run when looking at an MS Office file:
$ wine OfficeMalScanner.exe IMEI.docx scan
$ wine OfficeMalScanner.exe IMEI.docx scan
Next, lets inflate (unzip) the file:
$ wine OfficeMalScanner.exe IMEI.docx inflate
Notice that the tool identified at least 1 “.bin” file. Lets run the tool against this binary file (which in our case is in the activeX folder) by running the below command:
$ wine OfficeMalScanner.exe activex.bin scan brute
Notice that all of the found signatures start with “FS:[30] (Method 4) ...” This is a code signature that attempts to locate EIP (a technique that shellcode attempts to use to figure out the effective address when loaded into memory). OfficeMalScanner doesn’t detect the actual vulnerability that exists with the rendering of the TIFF file. It actually detects the heap-spray shellcode embedded in the ActiveX file. So in a non-direct way, OfficeMalScanner would have identified this document as malicious.
A useful built in capability of OfficeMalScanner is that it provides a malicious index rating. This is based off of the types of detections that the tool alerted on. The higher the number, the higher probability that the file is malicious. I want you to realize that I am using this tool as a detection capability, not an analysis capability. The fact that the tool displays that the file seems to be malicious should be identified as an “indicator” that the file “could” be malicious. When an index threshold is met (you need to do some testing to see what makes sense in your environment), the analyst should then know that the file requires additional in depth analysis. This method could be used as an alerting mechanism that attempts to weed out possibly malicious files from non malicious files. For purposes of this post, I am not going to provide my analysis of this shellcode or the entire staged exploit process. [I promise to have future posts that provide this type detail.]
OfficeMalScanner is a very effective tool at identifying malicious data within the older OLE Office format and also, as we’ve just learned, at detecting malicious traces within binary or activeX files. As an added capability to your enterprise, I would recommend that you automate the scanning of all MS Office email attachments with OfficeMalScanner (at the very least). To do this, there are two potential tasks that would need to be engineered. The first task would involve identifying a way of getting all MS Office files in a place to be scanned by OfficeMalScanner (in an automated fashion). (Note from the author: OfficeMalScanner is written in C and could potentially be exploited: Run this tool in a secure/safe environment.) The second task that would be required includes creating a “wrapper” for OfficeMalScanner that would allow you to perform all of the above commands that I manually typed out to be executed automatically against every MS Office file (XML and OLE formats) and all embedded binary or office files within.
