XML heaven

Gabor Szappanos VirusBuster

XML heaven

Office 2003 introduced a new document format, the single-file XML storage, which stress macros encoded in the XML body. At first sight it should not be much different from the native binary format we got used to, but it results in serious performance issues. This paper will investigate how the new format will affect the scanning of infected and non-infected documents respectively, in dependence with the file's size.

So far it was extremely difficult to implant a macro virus into an Office without the active participation of Office itself. Even VBScripts that infected Word documents relied on the ActiveX server capabilities of Word. For a binary malware to handle properly the OLE2-WordDocument storage format sandwich was almost impossible. Using a textual representation makes a lot easier to insert macrocode into an ordinary document. A binary dropper can carry a copy of an infected macro storage, and insert it easily into an appropriate location in a Word document. Office is very generous about the appropriate location; therefore the XML parser of the virus does not have to be sophisticated at all. This could happen on about any platform, including Unix, Linux and others, where active macro infection was not possible - until now. The presentation attempts to outline the new attack scenarios that derive from the new file format.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.