Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Microsoft Software

Malware Evades Detection By Counting Word Documents (threatpost.com) 70

"Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher's test environment," reports Threatpost, The Kaspersky Lab security news service. Slashdot reader writes: Once a computer is compromised, the malware will count the number of Word documents stored on the local drive; if it's more than two, the malware executes. Otherwise, it figures it's landed in a virtual environment or is executing in a sandbox and stays dormant.

A typical test environment consists of a fresh Windows computer image loaded into a VM. The OS image usually lacks documents and other telltale signs of real world use [according to SentinelOne researcher Caleb Fenton]. If no Microsoft Word documents are found, the VBA macro's code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.

This discussion has been archived. No new comments can be posted.

Malware Evades Detection By Counting Word Documents

Comments Filter:
  • by Anonymous Coward on Saturday September 24, 2016 @04:38PM (#52954755)

    Don't use Word.

    • by Anonymous Coward

      Disable macros. Allowing macros to do things that are harmful is a massive design flaw.

    • by Billly Gates ( 198444 ) on Saturday September 24, 2016 @05:00PM (#52954823) Journal

      Even if you use LibreOffice I am sure you have word and excel documents lying around. If you do real work or a college student you are going to be emailed office documents.

      • [~]$ find -iname '*.doc' -o -iname '*.docx'|wc -l
        72

        I don't even have any form of office (libre, open or ms) installed.

      • by Dragonslicer ( 991472 ) on Saturday September 24, 2016 @09:18PM (#52955717)

        If you do real work or a college student you are going to be emailed office documents.

        I'm not sure I see the connection between doing a college student and being emailed office documents.

  • by future assassin ( 639396 ) on Saturday September 24, 2016 @04:40PM (#52954767)

    Researchers should store 3 word documents on their systems.

    • by Opportunist ( 166417 ) on Saturday September 24, 2016 @05:36PM (#52954909)

      Brilliant. Pure genius. Nobody ever could come up with this idea.

      No, but seriously. The point is that this thwarts automatic detection tools. Of course, if a human is examining the malware, he will dissect it and analyze it and quickly realize that it counts documents. The automated tool will only notice that it does ... well, nothing.

      • Thanks I'm brilliant, I knew not having a high skool diploma would be useful one day.. Speaking of which any one running these systems should be able to create a script/program to continuously create/delete word documents and randomize the count of documents in the system at any time.

        • This is probably what is going to happen now. Until now, there wasn't really much of a reason to do it.

          • There already was a good reason. You need some stuff like documents and photos around on the drive for ransomware to glom onto.
            • They probably dumped a file of each type into the sample set, to see what kind of documents the malware encrypts and in what way. Hence it is looking for TWO Word files. :)

        • by sound+vision ( 884283 ) on Saturday September 24, 2016 @07:36PM (#52955409) Journal
          This piece of malware looked for Word documents, but the next one won't. Maybe it looks for image files, or it looks to see if the web browser has a significant cache built up. Or something more subtle than that. A better idea would be to create system images of used systems, periodically swapping them out, to make it a moving target.
          • Winning the arms race like that is going to be tough. A more general solution would be thorough, targeted instrumentation to better assess any file IO operations performed. It should be easy enough to fingerprint Office and use the data to monitor for anomalous file activity.
          • by truedfx ( 802492 )
            Used systems very likely have personal data on them. I wouldn't feel comfortable with the risk of letting malware or viruses be able to find anything like that.
      • Actually, the summary explicitly states that the purpose of this malware's behavior is to thwart human analysts testing in a fresh environment. It's not the most impressive technique, but it is a cheap way to increase the defender's costs, given the potentially high price of reverse engineering.
        • This is rather odd, considering how manual malware reverse engineering works. Usually when you get a sample to dissect, you already know that it's a bogey. So it not doing what it's supposed to do is a quick way to become even more interesting, and finding that reason shouldn't take a good AV researcher more than an hour, tops.

          It also doesn't really add to the complexity of the analysis, creating/copying a handful of documents into your VM isn't that big a deal, what you'll probably do is to clean up, copy

          • Well, it depends largely on context. The question isn't always, "what does this malware do?" A lot of the time it's, "is this malware?" In the former case, sure, the appearance of innocuousness is going to evoke even more curiosity, and something like this will be little more than a speed bump. But in the latter case (which is by far the more common scenario), simple anti-forensics can prove very effective in evading detection.

            Think about it, if you've got a backlog of hundreds or even thousands of quest
            • I can tell you exactly how much time a reverse engineer invests in a file that may or may not be malware: Zero seconds. There isn't even close to enough time to start looking at even a tiny fraction of all the potentially dodgy files that make it past the attention of an AV team. And there isn't also any need for this, we do have very sophisticated automated tools that do pretty much what you describe, create a VM environment and run the file. Well, it does a bit more than just run it, but let's keep it at

    • by flowsnake ( 1051494 ) on Saturday September 24, 2016 @07:52PM (#52955455)
      It's an arms race. As the malware gets more sophisticated at evasion, the sandbox will be made smarter to counter this. Complexity and sophistication will increase. Eventually, they will get smart enough to pass the Turing Test in order to stay in the game.
    • by DMFNR ( 1986182 )
      It's kind of mind boggling that the people doing these tests never thought that there would be some value to simulating an actual real life system when they are doing these tests. A collection of common software and files that they could monitor for side effects. It's not something I would imagine would cause them that much work, just add it to the image they are using, it's still a controlled environment if you know exactly what you put on there.

      Oh well, guess they probably will now!
    • Researchers should store 3 word documents on their systems.

      Seriously, using an empty install of Windows, in a VM, as a "Honey Pot" to catch malware is really lazy! Put something in there that would fool a casual human.
      Then maybe you can fool the -next- version of malware. ;-)

  • This is really smart. Sure, you can not have Word and or have more docs but the detection of a real environment will just change. Kudos to the dev for thinking about this, even if it is virii.

    • by SeaFox ( 739806 )

      You could image a real-world computer and use that to make test environment templates (obviously remove any documents that contain any real sensitive info).

      • Yup, pretty easy fix. Word docs, few thousand porn pics and movies and it starts to look like a real computer. I guess the next step for malware could be. Checking to see when word docs were last modified and such, but it would be easy to fake that too.
    • Viruses. In English, at least. In Latin, it would be vira. Third declination, not second.

      And while I can at least understand that people who don't understand Latin but somehow learned that -us becomes -i in plural (yes, if it's 2nd and masculine instead of neuter), where the fuck does that second "i" come from?

      • by Potor ( 658520 ) <farker1@gmai l . com> on Saturday September 24, 2016 @05:59PM (#52954987) Journal

        Viruses. In English, at least. In Latin, it would be vira. Third declination, not second.

        And while I can at least understand that people who don't understand Latin but somehow learned that -us becomes -i in plural (yes, if it's 2nd and masculine instead of neuter), where the fuck does that second "i" come from?

        Your answer is confusing, even though the result is correct.

        Morphologically speaking, "vira" would be the proper plural precisely because "virus" is a second (not third) declension neuter noun.

        Yet, it "virus" like "water" is uncountable so this plural is unattested.

        But why do we always end up in this same Latin grammar and philology lesson?

        • But why do we always end up in this same Latin grammar and philology lesson?

          ...OCD?
          I have some too.

        • by junk ( 33527 )

          Your answer is confusing, even though the result is correct.

          It's actually not correct but that's because I'm not new here. The spelling was intentional.

      • by Sique ( 173459 )
        Virus has no plural in Latin. It's a singularitantum. So whatever plural you choose in another language, it's made up anyway.
  • by K. S. Kyosuke ( 729550 ) on Saturday September 24, 2016 @05:43PM (#52954931)

    They make code do stuff before it's even executed these days!

    But they could also have it look for cat videos. If even one is detected, it should definitely run no matter how many Word documents are found.

  • Next gen (Score:5, Funny)

    by hcs_$reboot ( 1536101 ) on Saturday September 24, 2016 @07:21PM (#52955335)
    Next generation malware will switch on the camera, observe the room for a few days, and if no woman at all enters the room it stays dormant.
    • And how will the authors dev test that then?
    • by PMuse ( 320639 )

      Large size increases likelihood of detection. The code to count .doc files is tiny. Facial recognition, not so much.

      • by Anonymous Coward
        Sure facial recognition... but BOOB recognition is HIGHLY optimized.
  • I have 1 Word document on my PC. My resume. Some companies refuse to recognize Libreoffice word docs as Word format.

    Sux2bme I guess.
    • by Salvage ( 178446 )

      I seem to recall that some versions of Word don't recognize files from other versions of Word as being "Word format".

      When I've had to deal with places that only take "Word format" I've sent them several different versions due to the above (and with a PDF version, too). I've occasionally been thanked for my thoughtfulness.

      Of course, keeping around copies of one file in several variations of "Word format" takes up a disproportionate amount of space, so I only generate them as needed.

  • by Anonymous Coward

    Am I retarded? It doesn't matter.

    Counting documents is "doing something" If the automated system doesn't see the macro accessing the filesystem and doing searches on the filesystem, then the automated system is more retarded than me.

    • 'Retarded' may be a bit harsh - perhaps 'slow' might be more appropriate.

      You're assuming that performing innocuous read only file operations is sufficient cause to flag the macro as being a virus.

      Consider, for example, a legitimate macro which would present the user with a list of monthly sales reports. I haven't done spreadsheets since running Lotus 1-2-3 on a VAX mini computer, but your macro would essentially end up searching for 'SALES*.DOC' files - almost exactly what this one is doing.

      Would you bar

  • This is why I only use Atlantis for word processing, Notetab Pro for text editing, and OpenOffice for everything else.
  • Hey, this sounds exactly like the kind of tactics the VW software used to evade emission tests. I see the engineers fired by VW got a new job :-)
  • I'm safe.

    I mean, I use Linux and Mac so I'd be safe anyway, but if they made this virus for a real computer instead of Windows then I'd still be safe because my hard drives have zero Word documents on them.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...