Document shell code attacks loom large

Most anti-virus, IPS wares miss this particular style of attack

Targeted attacks that utilize vulnerabilities in popular document file formats and execute via hard-to-find shell code are becoming an increasingly popular menace, according to researchers at IBM's Internet Security Systems division.

Experts working with the ISS X-Force group said that they've seen a rapid increase in the volume and variety of shell-code execution attacks leveled at their customers over the last 12 months.

Among the types of files most frequently assailed in the attacks are the most common types of documents passed around many organizations today, including Microsoft Word, Excel and PowerPoint formats, as well as Adobe PDF files.

Many times, the infected documents are being distributed inside specific organizations by hackers who disguise the threats as legitimate files being disseminated within a business via e-mail. Unlike many Web-based threats, the seemingly-innocuous documents typically give no warning that they actually carry malware code.

Since the threats are often sent from spoofed e-mail addresses that appear trustworthy, and live inside documents that haven't been tabbed with the same security concerns as Web-based applications in recent years, end users are falling for the attacks in large numbers, researchers at the Atlanta-based ISS division contend.

"There are many reasons why these attacks are becoming so prevalent, but primarily it's because it's an attractive method from a crimeware perspective, with a lot of potential for social engineering," said Holly Stewart, product manager with X-Force Threat Analysis Service.

"With every new file format vulnerability that's released, we see huge uptake on the part of the malware community," she said. "It often takes the software vendors a long time to issue security patches, and there are also many low-lying attacks where the vulnerabilities haven't even been disclosed yet."

One of the best examples of such an attack was a spear phishing scheme carried out against workers at the United States Department of Defense last year that was reported in late 2006. Through the attack, specific Defense Department workers, including members of all four armed services, were sent e-mails from spoofed addresses that carried infected PowerPoint slides.

In Oct. 2006, the Defense Security Service (DSS), which manages civilian contractor's access to DoD infrastructure, warned that tens of thousands of employees worldwide had received the infected attachments, with a "significant number of computers" likely compromised by the attack.

Other more recent attacks observed by ISS among its customer base involved high-profile Windows vulnerabilities including the recently-patched animated cursor (.ANI) flaw and the Vector Markup Language (VML) glitch. Critical vulnerabilities in Adobe's Acrobat software have also proved fertile ground for hackers, Stewart said.

"File format vulnerabilities weren't being researched by hackers several years ago, but people figured out that this was an easy way to create new attacks that might so they've been using fuzzing technologies to find holes," Stewart said. "We're also seeing the malware writers come up with a large number of variants on their attacks very quickly, sometimes at a rate of one new attack per hour."

ISS maintains that its customers have been protected from the shell-code level attacks based on its products' heuristic behavioral scanning technologies, but contends that most anti-virus applications don't look for the attacks, and that intrusion protection systems (IPS) will miss many variants because the types of documents being used are harder to scan for potential threats.

At the heart of the shell-code exploit problem is a lack of ability for major software vendors such as Microsoft and Adobe to patch their products quickly, said Kris Lamb, director of X-Force, which provides threat intelligence used in ISS security products and services.

There are currently a trio of un-patched Word vulnerabilities, among others, that are allowing hackers to continue to carry out their campaigns with success, he said.

"For whatever reason, with file format vulnerabilities it takes a lot longer for the vendors to provide a patch, or the patch isn't readily available," Lamb said. "I'm not sure if this is a function of the process of triaging file format issues, or whether the issues are so prolific and mainstream, and so many people use the affected products, that they're leery to encourage people to reduce functionality for the sake of making them more mature."

In a nod to the challenges faced by software makers in addressing the problem, Michael Howard, program manager on Redmond, Wash.-based Microsoft's security team and author of a book on the company's Security Development Lifecycle (SDL) process, recently posted a blog to the company's Web site that cited some problems that allowed for the .ANI flaw to get out.

Among the measures the company is considering to improve its vulnerability testing process is to "rethink" some of the heuristics tools its uses to search for potential issues, Howard said.

Many security researchers, particularly white hat hackers, have criticized major software vendors including Microsoft for failing to do a better job of patching product security flaws more quickly, but Lamb said he doesn't think the problem exists because the developers aren't trying hard enough.

The expert said that software makers are simply overwhelmed by the variety and scope of security issues they're being presented with these days.

"Most large vendors have done a good job over last two or three years of improving their ability to respond and collaborating with other providers to address problems fast, I don't think the issue is a lack of effort," Lamb said. "However, with the speed with which these applications-level problems are being exploited, it's clear that they need to find ways to further improve reaction times."

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies