Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Evades Detection By Counting Word Documents (threatpost.com)

Posted by EditorDavid on from the I-see-you-are-trying-to-evade-infection dept.

"Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher's test environment," reports Threatpost, The Kaspersky Lab security news service. Slashdot reader writes: Once a computer is compromised, the malware will count the number of Word documents stored on the local drive; if it's more than two, the malware executes. Otherwise, it figures it's landed in a virtual environment or is executing in a sandbox and stays dormant.

A typical test environment consists of a fresh Windows computer image loaded into a VM. The OS image usually lacks documents and other telltale signs of real world use [according to SentinelOne researcher Caleb Fenton]. If no Microsoft Word documents are found, the VBA macro's code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.

17 of 70 comments (clear)

  1. Easy solution to avoid this malware... by Anonymous Coward · · Score: 4, Insightful

    Don't use Word.

    1. Re: Easy solution to avoid this malware... by Billly+Gates · · Score: 5, Insightful

      Even if you use LibreOffice I am sure you have word and excel documents lying around. If you do real work or a college student you are going to be emailed office documents.

      --
      http://saveie6.com/
    2. Re: Easy solution to avoid this malware... by sound+vision · · Score: 5, Insightful

      Have you taken a college course or had to deal in a "business-to-business" interaction at all in the past 15 years? They all use the MS Word document format. I took college courses from 2007-2012 at several campuses, of course with different professors... They pretty much all used Word documents to distribute whatever documents they needed to digitally. I think there was maybe 1 course where we were given a link to a PDF. It's not about what you use, it's about what the other guys use.

    3. Re: Easy solution to avoid this malware... by DMFNR · · Score: 4, Insightful

      How did you read that much in to just one sentence? I think what he meant is that the Office formats are so commonplace that even if you use different tools it's pretty likely that you're going to encounter .docx or xslx files. You can't control what software other people use and if you're in an office or educational environment it's almost a guarantee you will receive files in the Microsoft formats, in fact, isn't that one of the big selling points for LibreOffice? Its compatibility with those tools? I've even seen free software with .docx files available in the doc/ folder of their source packages! It has nothing to do with whether or not your choice of software is capable of "real work" or whatever the hell you're talking about, it's just that it's really hard to avoid Microsoft format stuff when you work with other people.

      Your point still stands that there are plenty of ways to deal with these files without having Office installed. That's the key here, it's not that the files are particularly dangerous, it's the interpreter that runs the macros you have to worry about! Plenty of solutions to deal with these formats available without having Office installed, Office 365 as you mentioned, Libre Office, Google Docs. MS software is like heroin, it feels pretty good when it's doing what its supposed to, but when everything goes wrong you're going to get hurt bad.

    4. Re: Easy solution to avoid this malware... by Dragonslicer · · Score: 5, Funny

      If you do real work or a college student you are going to be emailed office documents.

      I'm not sure I see the connection between doing a college student and being emailed office documents.

  2. I have a out of this world solution by future+assassin · · Score: 3, Funny

    Researchers should store 3 word documents on their systems.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
    1. Re:I have a out of this world solution by Opportunist · · Score: 4, Insightful

      Brilliant. Pure genius. Nobody ever could come up with this idea.

      No, but seriously. The point is that this thwarts automatic detection tools. Of course, if a human is examining the malware, he will dissect it and analyze it and quickly realize that it counts documents. The automated tool will only notice that it does ... well, nothing.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:I have a out of this world solution by sound+vision · · Score: 4, Insightful

      This piece of malware looked for Word documents, but the next one won't. Maybe it looks for image files, or it looks to see if the web browser has a significant cache built up. Or something more subtle than that. A better idea would be to create system images of used systems, periodically swapping them out, to make it a moving target.

    3. Re:I have a out of this world solution by flowsnake · · Score: 4, Interesting

      It's an arms race. As the malware gets more sophisticated at evasion, the sandbox will be made smarter to counter this. Complexity and sophistication will increase. Eventually, they will get smart enough to pass the Turing Test in order to stay in the game.

    4. Re:I have a out of this world solution by AlphaBro · · Score: 2

      Well, it depends largely on context. The question isn't always, "what does this malware do?" A lot of the time it's, "is this malware?" In the former case, sure, the appearance of innocuousness is going to evoke even more curiosity, and something like this will be little more than a speed bump. But in the latter case (which is by far the more common scenario), simple anti-forensics can prove very effective in evading detection.

      Think about it, if you've got a backlog of hundreds or even thousands of questionable files, how much time can you really commit to each one? Reversing all of them is probably out of the question. Most samples will get the regular treatment: fire up a fresh VM with some instrumentation, run the sample, and check for artifacts indicative of malicious behavior. Depending on the sophistication of the tooling, such artifacts may or may not be discovered. Considering the extremely low cost of implementation (probably a few lines to enumerate doc files), this was a good call on part of the attackers--a few minutes of work for a chance at flying under the radar for a bit longer.

      That said, there are plenty of open source tools available to dump VBA macros from Office documents, so the cost isn't exactly on par with reversing something like object code, but I still think the attackers made the right call here.

  3. Stupid comments aside... by junk · · Score: 2

    This is really smart. Sure, you can not have Word and or have more docs but the detection of a real environment will just change. Kudos to the dev for thinking about this, even if it is virii.

    1. Re:Stupid comments aside... by SeaFox · · Score: 2

      You could image a real-world computer and use that to make test environment templates (obviously remove any documents that contain any real sensitive info).

    2. Re:Stupid comments aside... by Opportunist · · Score: 2

      Viruses. In English, at least. In Latin, it would be vira. Third declination, not second.

      And while I can at least understand that people who don't understand Latin but somehow learned that -us becomes -i in plural (yes, if it's 2nd and masculine instead of neuter), where the fuck does that second "i" come from?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Stupid comments aside... by Potor · · Score: 3, Interesting

      Viruses. In English, at least. In Latin, it would be vira. Third declination, not second.

      And while I can at least understand that people who don't understand Latin but somehow learned that -us becomes -i in plural (yes, if it's 2nd and masculine instead of neuter), where the fuck does that second "i" come from?

      Your answer is confusing, even though the result is correct.

      Morphologically speaking, "vira" would be the proper plural precisely because "virus" is a second (not third) declension neuter noun.

      Yet, it "virus" like "water" is uncountable so this plural is unattested.

      But why do we always end up in this same Latin grammar and philology lesson?

  4. Ingenious programmers! by K.+S.+Kyosuke · · Score: 2

    They make code do stuff before it's even executed these days!

    But they could also have it look for cat videos. If even one is detected, it should definitely run no matter how many Word documents are found.

    --
    Ezekiel 23:20
  5. Next gen by hcs_$reboot · · Score: 4, Funny

    Next generation malware will switch on the camera, observe the room for a few days, and if no woman at all enters the room it stays dormant.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  6. Counting documents is doing something by Anonymous Coward · · Score: 2, Insightful

    Am I retarded? It doesn't matter.

    Counting documents is "doing something" If the automated system doesn't see the macro accessing the filesystem and doing searches on the filesystem, then the automated system is more retarded than me.