DOC files and social engineering
Tuesday July 3, 2007 at 6:14 am CST
Posted by Allysa Myers
There has been a raft of new variants of various Spy-Agent malware over the past few weeks, which arrive as DOC files which have a file inside which must then be double-clicked in order for it to run. Almost invariably, the files appear to be a notice of a complaint from some agency or other (IRS, Better Business Bureau, etc.) and when you open the DOC the text says only that the file inside must be double-clicked.
Note that I say nothing about any exploits, anything automatically running, or any of the sorts of scary technology we’ve become accustomed to. This is pure, simple social engineering. Scare a person into jumping through a variety of hoops. And all indications point to the fact that this technique is working remarkably well.
The question this brings up to me is, when did people stop filtering DOC files? It used to be de rigueur to filter office files at the gateway, back in the macro virus days. Despite the incredible popularity of targeted attacks using MS Office files, this seems to have fallen out of fashion.
So, I open this up to you, Dear Readers:
What file types, if any, do you filter at the gateway? Why did you choose that file type, and/or reject filtering for other file types?
July 3rd, 2007 at 7:33 am
How do you filter MS-Office files such that all files with embedded OLE objects or attached VBA code are flagged for review/deletion but all other office files pass through without delay or modification?….
July 3rd, 2007 at 7:51 am
It’s actually not a .doc file, its an RTF file with a .doc extension. If gateways are filtering on content and not extension, they maybe allowing RTF files.
July 3rd, 2007 at 2:22 pm
Matt - This will vary depending on what filtering software you’re using. Filtering on these two things will save you from more “old-fashioned” techniques, but it will not necessarily stop the many exploits that have been targeting MS office files.
John - You are correct, it is in fact an RTF file internally. RTF files have also been targeted for exploits and malware for many years, and in my opinion these should be considered equally as dangerous as other office file-types.
September 13th, 2007 at 4:44 pm
People must flilter files by source, filtering type of files is not safety. There are a lof of formats with unknow overflow bugs. Example JPG seems as safety, but …