Rich Text Malware

McAfee Avert Labs has of late seen numerous submissions of executable files embedded within Rich Text Files as OLE objects. These executable files usually have the icons of a trusted file type–for example, DOC, PDF, or TXT–and have a convincing message to entice victims into executing it.

Few would click on an embedded executable within a document file, but if the same executable were to have the file extension of a trusted or harmless file type, there would be more takers for this bait. By default if one were to drag and drop an executable into WordPad, it would display the full filename and extension as follows:

    

Changing the label of the embedded file is a trivial thing involving a couple of mouse clicks and Wordpad will run the embedded file just fine when executed. The sequence of steps to make this change will not be revealed in this blog for obvious reasons.

So I asked myself, why are the bad guys using such an old technique in these times of zero-day exploits? The answer is startling. Most antivirus software is unable to parse the rich text file format! As a trial, I submitted the antivirus test file EICAR.COM and an embedded copy of the same in rich text format to VirusTotal–a public antivirus scanning service.

Every single scanner detected the antivirus test file EICAR.COM, but only 16 out of 30 scanners were able to detect it embedded inside a rich text file. In layman’s terms, one could take an already detected malware and embed it inside a rich text file and half the antivirus software on the market would not detect this type of threat. A perfect foil for virus authors to use in phishing and spam runs.

Given that the bad guys rigorously QA their creations against antivirus software before releasing into wild, it comes as no surprise why we are seeing an increase in this type of threat. Only time will tell how effective this technique is, both at the software and social-engineering level. It will be interesting to watch how the field plays out.