Are you ready for targeted attacks on document shell code?

Microsoft Word, Excel and PowerPoint formats together withAdobe PDF files are increasingly being used to target organisations' data


Targeted attacks that utilise vulnerabilities in popular document file formats and execute via hard-to-find shell code are becoming an increasingly common menace, according to researchers at IBM's Internet Security Systems division.

Experts working with the ISS X-Force group said that they've seen a rapid increase in the volume and variety of shell-code execution attacks levelled at their customers over the last 12 months.

Among the types of files most frequently assailed in the attacks are the most common types of documents passed around many organisations today, including Microsoft Word, Excel and PowerPoint formats, as well as Adobe PDF files.

Many times, the infected documents are being distributed inside specific organisations by hackers who disguise the threats as legitimate files being disseminated within a business via e-mail. Unlike many Web-based threats, the seemingly-innocuous documents typically give no warning that they actually carry malware code.

Since the threats are often sent from spoofed e-mail addresses that appear trustworthy, and live inside documents that haven't been tabbed with the same security concerns as Web-based applications in recent years, end users are falling for the attacks in large numbers, researchers at the Atlanta-based ISS division contend.

"There are many reasons why these attacks are becoming so prevalent, but primarily it's because it's an attractive method from a crimeware perspective, with a lot of potential for social engineering," said Holly Stewart, product manager with X-Force Threat Analysis Service.

"With every new file format vulnerability that's released, we see huge uptake on the part of the malware community," she said. "It often takes the software vendors a long time to issue security patches, and there are also many low-lying attacks where the vulnerabilities haven't even been disclosed yet."

One of the best examples of such an attack was a spear phishing scheme carried out against workers at the United States Department of Defence last year that was reported in late 2006. Through the attack, specific Defence Department workers, including members of all four armed services, were sent e-mails from spoofed addresses that carried infected PowerPoint slides.

In October 2006, the US Defence Security Service (DSS), which manages civilian contractor's access to Department of Defence infrastructure, warned that tens of thousands of employees worldwide had received the infected attachments, with a "significant number of computers" likely compromised by the attack.

Other more recent attacks observed by ISS among its customer base involved high-profile Windows vulnerabilities including the recently-patched animated cursor (.ANI) flaw and the Vector Markup Language (VML) glitch. Critical vulnerabilities in Adobe's Acrobat software have also proved fertile ground for hackers, Stewart said.

"File format vulnerabilities weren't being researched by hackers several years ago, but people figured out that this was an easy way to create new attacks that might so they've been using fuzzing technologies to find holes," Stewart said. "We're also seeing the malware writers come up with a large number of variants on their attacks very quickly, sometimes at a rate of one new attack per hour."

"Recommended For You"

APT attackers are increasingly using booby-trapped RTF documents, experts say Hackers attacking Western defence firms based in China, says Symantec