14 DAY TRIAL // Cisco's security team has published an interesting discovery today, revealing a new method abused by cyber-crooks to spread macro-based malware.
Their discovery revolves around a new feature that Microsoft introduced in the Office suite in 2007, when it decided to replace the default file formats with a new set, based on the OfficeOpen XML standard.
Previous to 2007, all Microsoft Office files included built-in support for storing and automatically running macro scripts (Visual Basic for Applications code) when opened. After 2007, with the addition of new file formats, some of them were capable of storing macro code while others weren't.
For example, in Word, DOCX and DOTX don't allow macro execution while DOCM and DOTM do. It is easy to spot the macro-enabled file formats by the addition of an M at the end of the original Office extension while X signaled the lack of support for macro files.
Renaming DOCM/DOTM files to other extensions
Cisco researchers discovered one thing. If a file DOCX/DOTX file was renamed to DOCM/DOTM, someone could not add macro malware to that file because of the file's MIME type agreement and how Windows and Office work. Opening a file renamed in this way would trigger an error.
On the other hand, someone could take DOCM/DOTM files and rename them to DOCX/DOTX, and the macro code would still exist inside the file itself. Opening a file renamed this way wouldn't show an error like for the other two files but would actually execute the file, with the adjacent macros.
This even worked with DOCM/DOTM files renamed to RTF, a file extension that never supported macros. The same thing is possible with XLSX files renamed to a CSV, a text-based format.
To work, the files need to be associated to open with an Office application, but this files generally are, with Office automatically taking over default execution for a large number of these file extensions.
Problem resides in Office's WWLIB.DLL file
"In general, MS Word opens files based on the file data, not based on the file name extension. So long as MS Word can identify the data structure, it will open the file correctly," Cisco researchers explain.
The issue resides in the WWLIB.DLL file, a DLL used by Office to validate MIME types.
"When the file extension does not hint at a OOXML file type this step of validation always passes, even if the MIME type is actually OOXML. This means an OOXML document with macros included (DOCM or DOTM) will load successfully if it has a different filename extension," the researchers also explain.
The bad news is that this tactic has been discovered by the bad guys as well. Cisco reports that multiple malware distribution campaigns have abused this feature since the start of the year, and the numbers are growing each month.
The easiest way to fix this is via an Office update that fixes how WWLIB.DLL handles file type validation procedures, enough to trigger a warning or a validation error that will prevent execution and deter crooks from masking their macro code in seemingly safe files.