Gabor Szappanos VirusBuster
Office 2003 introduced a new document format, the single-file XML storage, which stress macros encoded in the XML body. At first sight it should not be much different from the native binary format we got used to, but it results in serious performance issues. This paper will investigate how the new format will affect the scanning of infected and non-infected documents respectively, in dependence with the file's size.
So far it was extremely difficult to implant a macro virus into an Office without the active participation of Office itself. Even VBScripts that infected Word documents relied on the ActiveX server capabilities of Word. For a binary malware to handle properly the OLE2-WordDocument storage format sandwich was almost impossible. Using a textual representation makes a lot easier to insert macrocode into an ordinary document. A binary dropper can carry a copy of an infected macro storage, and insert it easily into an appropriate location in a Word document. Office is very generous about the appropriate location; therefore the XML parser of the virus does not have to be sophisticated at all. This could happen on about any platform, including Unix, Linux and others, where active macro infection was not possible - until now. The presentation attempts to outline the new attack scenarios that derive from the new file format.