Malware Evades Detection By Counting Word Documents (threatpost.com)

← Back to Stories (view on slashdot.org)

Malware Evades Detection By Counting Word Documents (threatpost.com)

Posted by EditorDavid on Saturday September 24, 2016 @09:34AM from the I-see-you-are-trying-to-evade-infection dept.

"Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher's test environment," reports Threatpost, The Kaspersky Lab security news service. Slashdot reader writes: Once a computer is compromised, the malware will count the number of Word documents stored on the local drive; if it's more than two, the malware executes. Otherwise, it figures it's landed in a virtual environment or is executing in a sandbox and stays dormant.

A typical test environment consists of a fresh Windows computer image loaded into a VM. The OS image usually lacks documents and other telltale signs of real world use [according to SentinelOne researcher Caleb Fenton]. If no Microsoft Word documents are found, the VBA macro's code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.

70 comments

Min score:

Reason:

Sort:

Easy solution to avoid this malware... by Anonymous Coward · 2016-09-24 09:38 · Score: 4, Insightful

Don't use Word.
1. Re:Easy solution to avoid this malware... by Anonymous Coward · 2016-09-24 09:40 · Score: 1
  
  Disable macros. Allowing macros to do things that are harmful is a massive design flaw.
2. Re: Easy solution to avoid this malware... by Billly+Gates · 2016-09-24 10:00 · Score: 5, Insightful
  
  Even if you use LibreOffice I am sure you have word and excel documents lying around. If you do real work or a college student you are going to be emailed office documents.
  
  --
  http://saveie6.com/
3. Re: Easy solution to avoid this malware... by Anonymous Coward · 2016-09-24 11:26 · Score: 0
  
  You'd be surprised. On my home comp I have absolutely NO excel or word documents. I have a limited number of pdfs if it was looking for those, but for the most part I simply don't have a need to use Word or even Libre Office.
4. Re: Easy solution to avoid this malware... by KiloByte · 2016-09-24 11:58 · Score: 1
  
  [~]$ find -iname '*.doc' -o -iname '*.docx'|wc -l 72
  I don't even have any form of office (libre, open or ms) installed.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
5. Re: Easy solution to avoid this malware... by sound+vision · 2016-09-24 12:25 · Score: 5, Insightful
  
  Have you taken a college course or had to deal in a "business-to-business" interaction at all in the past 15 years? They all use the MS Word document format. I took college courses from 2007-2012 at several campuses, of course with different professors... They pretty much all used Word documents to distribute whatever documents they needed to digitally. I think there was maybe 1 course where we were given a link to a PDF. It's not about what you use, it's about what the other guys use.
6. Re: Easy solution to avoid this malware... by DMFNR · 2016-09-24 12:50 · Score: 4, Insightful
  
  How did you read that much in to just one sentence? I think what he meant is that the Office formats are so commonplace that even if you use different tools it's pretty likely that you're going to encounter .docx or xslx files. You can't control what software other people use and if you're in an office or educational environment it's almost a guarantee you will receive files in the Microsoft formats, in fact, isn't that one of the big selling points for LibreOffice? Its compatibility with those tools? I've even seen free software with .docx files available in the doc/ folder of their source packages! It has nothing to do with whether or not your choice of software is capable of "real work" or whatever the hell you're talking about, it's just that it's really hard to avoid Microsoft format stuff when you work with other people.
  
  Your point still stands that there are plenty of ways to deal with these files without having Office installed. That's the key here, it's not that the files are particularly dangerous, it's the interpreter that runs the macros you have to worry about! Plenty of solutions to deal with these formats available without having Office installed, Office 365 as you mentioned, Libre Office, Google Docs. MS software is like heroin, it feels pretty good when it's doing what its supposed to, but when everything goes wrong you're going to get hurt bad.
7. Re: Easy solution to avoid this malware... by Dragonslicer · 2016-09-24 14:18 · Score: 5, Funny
  
  If you do real work or a college student you are going to be emailed office documents.
  I'm not sure I see the connection between doing a college student and being emailed office documents.
8. Re: Easy solution to avoid this malware... by thegarbz · 2016-09-24 21:56 · Score: 1
  
  I have more LibreOffice and PDF files "lying around" these days than Word and Excel,
  So what you're saying is you have Word and Excel documents lying around even though you don't use Microsoft? You wrote a lot in your counter argument only to agree with the GP.
9. Re: Easy solution to avoid this malware... by Anonymous Coward · 2016-09-25 00:25 · Score: 0
  
  Duh, it's called blackmail. (Assuming you're the college students professor, and [s]he uses office.)
10. Re: Easy solution to avoid this malware... by Anonymous Coward · 2016-09-25 01:29 · Score: 1
  
  How else are you going to get served your paternity test sub peona?
11. Re: Easy solution to avoid this malware... by jmccue · 2016-09-25 01:41 · Score: 1
  
  Have you taken a college course
  not since the advent of PC, but I know even some grade schools seems to require Microsoft junk and tests via WEB Pages. That only indicates to me the quality of our (US) education system, seems 'real' teaching went out of style in the 80s.
  
  had to deal in a "business-to-business" interaction at all in the past 15 years?
  Everyday, what I want to say is either in the email body or in a text file or rarely a Libreoffice doc. If I have to deal with Microsoft formatted files they can deal with file formats I prefer.
12. Re: Easy solution to avoid this malware... by Anonymous Coward · 2016-09-25 04:18 · Score: 0
  
  I was in university, and college before that (twice). Got all the paper. Was never mailed a word document. Used libre office. Assignments were online, and they wanted paper documents back. If they wanted an online reply, they gave a flat text file out, and wanted a flat text file back. None of the proprietary crapola needed.
13. Re: Easy solution to avoid this malware... by Anonymous Coward · 2016-09-25 04:24 · Score: 0
  
  Businesses are the least technical, least up-to-date on what is modern. Find someone in business and I'll show you someone who types with one hand. They will be shouting orders while typing with one hand. "Advanced user" means using periods at the end of sentences. If I'm a customer of these so-called "businesses", then I use LibreOffice. If they insist that I use their format, then my business goes somewhere else! Don't give me your "every dumb ass on the block is jumping off bridges and using m$-word and so should you" bullshit. I won't get pulled into their bad decision making process (or yours).
14. Re: Easy solution to avoid this malware... by Anonymous Coward · 2016-09-26 08:07 · Score: 0
  
  And? That doesn't answer the question of "are you implying that people who use MS Office alternatives are not doing real work?".
  
  Or maybe it does, in which case a simple "yes" would have sufficed.
I have a out of this world solution by future+assassin · 2016-09-24 09:40 · Score: 3, Funny

Researchers should store 3 word documents on their systems.

--
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
1. Re:I have a out of this world solution by Opportunist · 2016-09-24 10:36 · Score: 4, Insightful
  
  Brilliant. Pure genius. Nobody ever could come up with this idea.
  No, but seriously. The point is that this thwarts automatic detection tools. Of course, if a human is examining the malware, he will dissect it and analyze it and quickly realize that it counts documents. The automated tool will only notice that it does ... well, nothing.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:I have a out of this world solution by future+assassin · 2016-09-24 11:11 · Score: 1
  
  Thanks I'm brilliant, I knew not having a high skool diploma would be useful one day.. Speaking of which any one running these systems should be able to create a script/program to continuously create/delete word documents and randomize the count of documents in the system at any time.
  
  --
  by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
3. Re:I have a out of this world solution by Opportunist · 2016-09-24 11:13 · Score: 1
  
  This is probably what is going to happen now. Until now, there wasn't really much of a reason to do it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:I have a out of this world solution by JaredOfEuropa · 2016-09-24 11:53 · Score: 1
  
  There already was a good reason. You need some stuff like documents and photos around on the drive for ransomware to glom onto.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
5. Re:I have a out of this world solution by AlphaBro · 2016-09-24 11:54 · Score: 1
  
  Actually, the summary explicitly states that the purpose of this malware's behavior is to thwart human analysts testing in a fresh environment. It's not the most impressive technique, but it is a cheap way to increase the defender's costs, given the potentially high price of reverse engineering.
6. Re:I have a out of this world solution by sound+vision · 2016-09-24 12:36 · Score: 4, Insightful
  
  This piece of malware looked for Word documents, but the next one won't. Maybe it looks for image files, or it looks to see if the web browser has a significant cache built up. Or something more subtle than that. A better idea would be to create system images of used systems, periodically swapping them out, to make it a moving target.
7. Re:I have a out of this world solution by flowsnake · 2016-09-24 12:52 · Score: 4, Interesting
  
  It's an arms race. As the malware gets more sophisticated at evasion, the sandbox will be made smarter to counter this. Complexity and sophistication will increase. Eventually, they will get smart enough to pass the Turing Test in order to stay in the game.
8. Re:I have a out of this world solution by DMFNR · 2016-09-24 12:58 · Score: 1
  
  It's kind of mind boggling that the people doing these tests never thought that there would be some value to simulating an actual real life system when they are doing these tests. A collection of common software and files that they could monitor for side effects. It's not something I would imagine would cause them that much work, just add it to the image they are using, it's still a controlled environment if you know exactly what you put on there.
  
  Oh well, guess they probably will now!
9. Re:I have a out of this world solution by Opportunist · 2016-09-24 13:07 · Score: 1
  
  This is rather odd, considering how manual malware reverse engineering works. Usually when you get a sample to dissect, you already know that it's a bogey. So it not doing what it's supposed to do is a quick way to become even more interesting, and finding that reason shouldn't take a good AV researcher more than an hour, tops.
  It also doesn't really add to the complexity of the analysis, creating/copying a handful of documents into your VM isn't that big a deal, what you'll probably do is to clean up, copy the files in, create a new base image and run from there. The delay this would cause is minimal.
  This as a hurdle for human researchers makes rather little sense, to be honest.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
10. Re:I have a out of this world solution by Opportunist · 2016-09-24 13:10 · Score: 1
  
  They probably dumped a file of each type into the sample set, to see what kind of documents the malware encrypts and in what way. Hence it is looking for TWO Word files. :)
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
11. Re:I have a out of this world solution by AlphaBro · 2016-09-24 15:56 · Score: 2
  
  Well, it depends largely on context. The question isn't always, "what does this malware do?" A lot of the time it's, "is this malware?" In the former case, sure, the appearance of innocuousness is going to evoke even more curiosity, and something like this will be little more than a speed bump. But in the latter case (which is by far the more common scenario), simple anti-forensics can prove very effective in evading detection.
  
  Think about it, if you've got a backlog of hundreds or even thousands of questionable files, how much time can you really commit to each one? Reversing all of them is probably out of the question. Most samples will get the regular treatment: fire up a fresh VM with some instrumentation, run the sample, and check for artifacts indicative of malicious behavior. Depending on the sophistication of the tooling, such artifacts may or may not be discovered. Considering the extremely low cost of implementation (probably a few lines to enumerate doc files), this was a good call on part of the attackers--a few minutes of work for a chance at flying under the radar for a bit longer.
  
  That said, there are plenty of open source tools available to dump VBA macros from Office documents, so the cost isn't exactly on par with reversing something like object code, but I still think the attackers made the right call here.
12. Re:I have a out of this world solution by AlphaBro · 2016-09-24 16:21 · Score: 1
  
  Winning the arms race like that is going to be tough. A more general solution would be thorough, targeted instrumentation to better assess any file IO operations performed. It should be easy enough to fingerprint Office and use the data to monitor for anomalous file activity.
13. Re:I have a out of this world solution by Anonymous Coward · 2016-09-24 17:41 · Score: 0
  
  This piece of malware looked for Word documents, but the next one won't. Maybe it looks for image files, or it looks to see if the web browser has a significant cache built up. Or something more subtle than that. A better idea would be to create system images of used systems, periodically swapping them out, to make it a moving target.
  My first thought was to check for recent files. It's easy to detect a test environment if all files are more than a month old.
14. Re:I have a out of this world solution by truedfx · 2016-09-24 19:44 · Score: 1
  
  Used systems very likely have personal data on them. I wouldn't feel comfortable with the risk of letting malware or viruses be able to find anything like that.
15. Re:I have a out of this world solution by Opportunist · 2016-09-25 05:00 · Score: 1
  
  I can tell you exactly how much time a reverse engineer invests in a file that may or may not be malware: Zero seconds. There isn't even close to enough time to start looking at even a tiny fraction of all the potentially dodgy files that make it past the attention of an AV team. And there isn't also any need for this, we do have very sophisticated automated tools that do pretty much what you describe, create a VM environment and run the file. Well, it does a bit more than just run it, but let's keep it at that. ;)
  Usually that's enough to flag a file as "interesting", even if the malware code isn't executed in the normal branch for some reason, and this one managed to escape that detection routine. But this is much like the original trojan horse: A great idea the first time, but won't work again. Ever.
  (and yes, I know about the video where they showed that people still fall for that most ancient of all tricks)
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
16. Re:I have a out of this world solution by cwsumner · 2016-09-26 05:09 · Score: 1
  
  Researchers should store 3 word documents on their systems.
  Seriously, using an empty install of Windows, in a VM, as a "Honey Pot" to catch malware is really lazy! Put something in there that would fool a casual human.
  Then maybe you can fool the -next- version of malware. ;-)
Stupid comments aside... by junk · 2016-09-24 09:45 · Score: 2

This is really smart. Sure, you can not have Word and or have more docs but the detection of a real environment will just change. Kudos to the dev for thinking about this, even if it is virii.
1. Re:Stupid comments aside... by SeaFox · 2016-09-24 09:57 · Score: 2
  
  You could image a real-world computer and use that to make test environment templates (obviously remove any documents that contain any real sensitive info).
2. Re: Stupid comments aside... by slazzy · 2016-09-24 10:23 · Score: 1
  
  Yup, pretty easy fix. Word docs, few thousand porn pics and movies and it starts to look like a real computer. I guess the next step for malware could be. Checking to see when word docs were last modified and such, but it would be easy to fake that too.
  
  --
  Website Just Down For Me? Find out
3. Re:Stupid comments aside... by Opportunist · 2016-09-24 10:38 · Score: 2
  
  Viruses. In English, at least. In Latin, it would be vira. Third declination, not second.
  And while I can at least understand that people who don't understand Latin but somehow learned that -us becomes -i in plural (yes, if it's 2nd and masculine instead of neuter), where the fuck does that second "i" come from?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Stupid comments aside... by Potor · 2016-09-24 10:59 · Score: 3, Interesting
  
  Viruses. In English, at least. In Latin, it would be vira. Third declination, not second.
  And while I can at least understand that people who don't understand Latin but somehow learned that -us becomes -i in plural (yes, if it's 2nd and masculine instead of neuter), where the fuck does that second "i" come from?
  Your answer is confusing, even though the result is correct.
  Morphologically speaking, "vira" would be the proper plural precisely because "virus" is a second (not third) declension neuter noun.
  Yet, it "virus" like "water" is uncountable so this plural is unattested.
  But why do we always end up in this same Latin grammar and philology lesson?
5. Re:Stupid comments aside... by Anonymous Coward · 2016-09-24 10:59 · Score: 0
  
  Declension, not declination.
6. Re:Stupid comments aside... by war4peace · 2016-09-24 11:19 · Score: 1
  
  But why do we always end up in this same Latin grammar and philology lesson?
  ...OCD?
  I have some too.
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
7. Re:Stupid comments aside... by Anonymous Coward · 2016-09-24 13:03 · Score: 0
  
  this isn't just smart, it's fucking brilliant.
  with changes microsoft has made to how office is sold and installed.. researchers would have to fuck around with microsoft accounts and activation and shit just to get the latest office installed on their test systems..
8. Re:Stupid comments aside... by Sique · 2016-09-25 02:16 · Score: 1
  
  Virus has no plural in Latin. It's a singularitantum. So whatever plural you choose in another language, it's made up anyway.
  
  --
  .sig: Sique *sigh*
9. Re:Stupid comments aside... by junk · 2016-10-04 08:56 · Score: 1
  
  Your answer is confusing, even though the result is correct.
  It's actually not correct but that's because I'm not new here. The spelling was intentional.
10. Re:Stupid comments aside... by Potor · 2016-10-04 09:12 · Score: 1
  
  "Viruses" being the correct answer ....
Maybe by Anonymous Coward · 2016-09-24 09:46 · Score: 0

The stock images should be more comprehensive?
I can't imagine any malware could detect a stock image taken from a year of use.
1. Re:Maybe by Wycliffe · 2016-09-24 10:51 · Score: 1
  
  The stock images should be more comprehensive?
  I can't imagine any malware could detect a stock image taken from a year of use.
  Yep. Even if it was taken from a few weeks of use in a student lab the amount of effort needed for a virus to determine the false positives from the false negatives would become astronomical. It would either still infect some honeypots or greatly reduce the number of systems it could infect.
  Basically the honeypots made it too easy as a real computer in use shows many signs of use like facebook access, random google searches, random cruft on the hard drives, etc.. This is a simplistic version. I could see a more advanced one making sure there was at least one facebook post in the last 24 hours before releasing it's payload.
This is great by Anonymous Coward · 2016-09-24 09:55 · Score: 0

That's actually really nice news for me. I have 0 Word documents and no plans to get any.
Ingenious programmers! by K.+S.+Kyosuke · 2016-09-24 10:43 · Score: 2

They make code do stuff before it's even executed these days!
But they could also have it look for cat videos. If even one is detected, it should definitely run no matter how many Word documents are found.

--
Ezekiel 23:20
Malware DOESN'T evade detection by counting .DOCs by Anonymous Coward · 2016-09-24 11:02 · Score: 0

How would we know about it if it had evaded detection?
Re:Malware DOESN'T evade detection by counting .DO by AHuxley · 2016-09-24 11:15 · Score: 1

AV is now moving to the cloud. So a lot more docs are facing very advanced testing on users systems and also on AV networks.
Other AV just tests to see any changes in an OS and reports back findings to the AV developers.
What can a Word file do in such environments?
The evaded detection part can be as simple as not working when detecting a list of the most popular AV applications or software firewalls on an OS.

--
Domestic spying is now "Benign Information Gathering"
Next gen by hcs_$reboot · 2016-09-24 12:21 · Score: 4, Funny

Next generation malware will switch on the camera, observe the room for a few days, and if no woman at all enters the room it stays dormant.

--
Slashdot, fix the reply notifications... You won't get away with it...
1. Re:Next gen by Simon+Rowe · 2016-09-24 19:23 · Score: 1
  
  And how will the authors dev test that then?
2. Re:Next gen by Anonymous Coward · 2016-09-24 20:21 · Score: 0
  
  Stolen webcam footage feed into the webcam input?
3. Re:Next gen by PMuse · 2016-09-25 00:27 · Score: 1
  
  Large size increases likelihood of detection. The code to count .doc files is tiny. Facial recognition, not so much.
  
  --
  "We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
4. Re:Next gen by Anonymous Coward · 2016-09-25 02:42 · Score: 1
  
  Sure facial recognition... but BOOB recognition is HIGHLY optimized.
Well, that pretty much sucks by Snotnose · 2016-09-24 12:25 · Score: 1

I have 1 Word document on my PC. My resume. Some companies refuse to recognize Libreoffice word docs as Word format.

Sux2bme I guess.
1. Re:Well, that pretty much sucks by Salvage · 2016-09-25 02:28 · Score: 1
  
  I seem to recall that some versions of Word don't recognize files from other versions of Word as being "Word format".
  When I've had to deal with places that only take "Word format" I've sent them several different versions due to the above (and with a PDF version, too). I've occasionally been thanked for my thoughtfulness.
  Of course, keeping around copies of one file in several variations of "Word format" takes up a disproportionate amount of space, so I only generate them as needed.
  
  --
  T. M. Pederson
  "Lies, Damn Lies, and Documentation"
Would be nice to see accuracy in reporting... by Anonymous Coward · 2016-09-24 12:34 · Score: 0

That malware would be much better described as only infecting infected machines.
um by Anonymous Coward · 2016-09-24 13:14 · Score: 0

Isn't the vba code inside a msoffice msexcel document always readable inside the program so even if it's not doing anything you can still see the code for calling and modifying other files.
Counting documents is doing something by Anonymous Coward · 2016-09-24 13:31 · Score: 2, Insightful

Am I retarded? It doesn't matter.
Counting documents is "doing something" If the automated system doesn't see the macro accessing the filesystem and doing searches on the filesystem, then the automated system is more retarded than me.
1. Re:Counting documents is doing something by rpstrong · 2016-09-25 05:01 · Score: 1
  
  'Retarded' may be a bit harsh - perhaps 'slow' might be more appropriate.
  You're assuming that performing innocuous read only file operations is sufficient cause to flag the macro as being a virus.
  Consider, for example, a legitimate macro which would present the user with a list of monthly sales reports. I haven't done spreadsheets since running Lotus 1-2-3 on a VAX mini computer, but your macro would essentially end up searching for 'SALES*.DOC' files - almost exactly what this one is doing.
  Would you bar any such operations? If so, you run the very real risk of having so many false positives that it essentially becomes useless to scan macros; simply block them by default on Office's side.
we don't need no steenking word by gridsleep764 · 2016-09-24 14:03 · Score: 1

This is why I only use Atlantis for word processing, Notetab Pro for text editing, and OpenOffice for everything else.
Following the example Volkswagen set by Anonymous Coward · 2016-09-24 14:36 · Score: 0

Brilliant.
VDI by Anonymous Coward · 2016-09-24 14:56 · Score: 0

VDI??
its not a disease!
No problem! by Anonymous Coward · 2016-09-24 20:51 · Score: 0

I just use my computer for porn and games.
It also counts CPUs by Anonymous Coward · 2016-09-25 01:08 · Score: 0

There was a recent DefCon talk that said some malware also checks number of cores in the system. Since many VMs will be given only one core to run, they'll report as a single-core computer. When malware detect that, it doesn't execute.
This is not new by Anonymous Coward · 2016-09-25 13:03 · Score: 0

Malware writers have been trying to evade sandboxes for years now. Other techniques involve trying to detect running in a virtual machine, or looking at and timing mouse and keyboard input to make sure it's a human at the console. Most sandboxing technologies share intelligence, so it's becoming more difficult for malware to spread far and wide before being detected and stopped.
Volkswagen virus by tommeke100 · 2016-09-26 02:32 · Score: 1

Hey, this sounds exactly like the kind of tactics the VW software used to evade emission tests. I see the engineers fired by VW got a new job :-)
Thank goodness by CauseBy · 2016-09-26 04:06 · Score: 1

I'm safe.
I mean, I use Linux and Mac so I'd be safe anyway, but if they made this virus for a real computer instead of Windows then I'd still be safe because my hard drives have zero Word documents on them.