Stephen Edwards Sophos
Paul Baccas Sophos
download slides (PDF)
Today, the main class of malicious OLE2 files currently seen by SophosLabs exploit vulnerabilities in Microsoft Office applications. These are used to install malware - most often rootkits, backdoors, or downloaders. Ten years ago, SophosLabs would have been inundated with self-replicating threats or macro-based trojans. As the attack vector has changed, techniques for detection have also adapted - the knowledge of the OLE2 specification is a powerful tool in the fight.
OLE2 documents are complex, therefore the cost of parsing in order to directly detect an exploit can be prohibitive for a security scanner. However, it is typical for Microsoft Office file formats to have early records with a significant number of rigidly defined fields. This paper will investigate whether non-adherence to specification within these fields can be used as a low-cost heuristic to improve detection of this class of malware. Additionally, this paper will set out which violations are pertinent to exploit detection via the scanning of diverse clean and exploited files.