Many of you may have worked with a similar tool, DocFile viewer, part of Visual Studio. This can prove valuable when you’re trying to identify malicious components. In order to identify each of the storage items, at the end of 2006, Microsoft released a tool called STG, which can display the different structure components and their contents. In essence, Microsoft Office files are of OLE Structured Storage nature, and consist of numerous ‘storage’ and ‘stream’ items.
Microsoft also has tools to bring clarity into the format. It’s a tool that would allow you to scan Office files for shellcode, for example. It’s a powerful tool, but you may need to write signatures yourself based on what specifically you are looking for. Its basic release does not contain Office sigs, but one was released a few months later on the Fess-users mailing list. SecureWork’s Fess, short for File Exploit Scanning System, is an open-source tool that scans files for exploits using a Snort-like inspection language. SourceFire’s OfficeCat scans an Office file for the exploitation of a long list of known vulnerabilities. Other useful tools have been released by Sourcefire and SecureWorks. You may want to check in with your vendor to see what their approach to the issue is.Īnother tool that is still useful is the regular hex-editor, or even strings. It also misses the exploit on the e-mail gateway. While this generates less false positives, it also provides less protection for malicious code that is targeted, or has only recently been distributed. Others vendors decided not to include patterns for exploitative Word documents, but provide them for their payload only, when it gets executed. Some names attributed to malicious Word files so far appear to generically trigger on malicious files: In many cases, it might be able to spot malicious files when they exploit a known vulnerability. Some small tools can come in really useful if you want to avoid attaching a debugger to your Word session. Recently, attacks using Office (or other office applications such as Ichitaro) as a vector have become more popular, making this identification stage a bit more difficult.
A major step in incident handling is to confirm whether a security incident is in fact taking place. Excessive handling of false positives can also cost an organization dearly in the long run.
0 kommentar(er)
