Comments on: Rich Text Malware http://blogs.mcafee.com/mcafee-labs/rich-text-malware Tue, 29 Nov 2011 07:51:20 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: john keane http://blogs.mcafee.com/mcafee-labs/rich-text-malware/comment-page-1#comment-10121 john keane Wed, 03 Sep 2008 22:20:57 +0000 http://blogs.mcafee.com/2007/05/25/rich-text-malware/#comment-10121 rtf is an open standard markup language and has no need to transfer executable code to satisfy its basic mapping function: font,upper-lower case, etc.. Why do such WPML + executable code programs such as MSWord not simply refuse to remap executable code from a default rtf-A standard. rtf is an open standard markup language and has no need to transfer executable code to satisfy its basic mapping function: font,upper-lower case, etc..

Why do such WPML + executable code programs such as MSWord not simply refuse to remap executable code from a default rtf-A standard.

]]> By: Mike Graham http://blogs.mcafee.com/mcafee-labs/rich-text-malware/comment-page-1#comment-10120 Mike Graham Tue, 29 May 2007 21:33:48 +0000 http://blogs.mcafee.com/2007/05/25/rich-text-malware/#comment-10120 >This was a problem with IE 5, Outlook Express 5, and Outlook >2000 until Microsoft patched it. self edit: this was a problem because IE & OE would execute files directly into memory, therefore no virus scanner would get a chance to scan it first. >This was a problem with IE 5, Outlook Express 5, and Outlook
>2000 until Microsoft patched it.

self edit: this was a problem because IE & OE would execute files directly into memory, therefore no virus scanner would get a chance to scan it first.

]]> By: Mike Graham http://blogs.mcafee.com/mcafee-labs/rich-text-malware/comment-page-1#comment-10119 Mike Graham Tue, 29 May 2007 21:28:55 +0000 http://blogs.mcafee.com/2007/05/25/rich-text-malware/#comment-10119 most, if not all virus scanners do not scan files executed directly into memory; they must be run from the hard drive to be detected. This was a problem with IE 5, Outlook Express 5, and Outlook 2000 until Microsoft patched it. So, if Wordpad executes its attachment straight into memory, from within the .rtf already running in memory, then any virus infected process won't be noticed until it tries to write infected code to the hard drive. my 1 1/3 cents most, if not all virus scanners do not scan files executed directly into memory; they must be run from the hard drive to be detected. This was a problem with IE 5, Outlook Express 5, and Outlook 2000 until Microsoft patched it.

So, if Wordpad executes its attachment straight into memory, from within the .rtf already running in memory, then any virus infected process won’t be noticed until it tries to write infected code to the hard drive.

my 1 1/3 cents

]]> By: Randy Abrams http://blogs.mcafee.com/mcafee-labs/rich-text-malware/comment-page-1#comment-10118 Randy Abrams Tue, 29 May 2007 14:37:59 +0000 http://blogs.mcafee.com/2007/05/25/rich-text-malware/#comment-10118 But every scanner's on-access module will block the eicar file when you extract it from the RTF. RTF may get known malware passed the email scanner, but not the on-access or reat-time scanner. This is really FUD. Scanning through RTF does not increase user secuirty. Blocking executable threats does. The threat is not executable until extracted from the RTF. It is no different than putting a k nown threat inside of an archive file that McAfee doesn't know. As soon as the user extracts the file it is detected. Cheers, Randy But every scanner’s on-access module will block the eicar file when you extract it from the RTF. RTF may get known malware passed the email scanner, but not the on-access or reat-time scanner. This is really FUD. Scanning through RTF does not increase user secuirty. Blocking executable threats does. The threat is not executable until extracted from the RTF. It is no different than putting a k nown threat inside of an archive file that McAfee doesn’t know. As soon as the user extracts the file it is detected.

Cheers,

Randy

]]>