Sunday, January 27, 2008

Current State of Malware Analysis

The pauldotcom podcast from January 24, 2008 had a technical discussion on Advanced Malware Analysis and the new SANS Security 610 course. Security 610 is a four day course: the first two days are revised from the original Security 601 REM course, and two new days (also listed as Security 602). Day three's material is entirely on code analysis and is written by Mike Murr. I had the pleasure of contributing to Day four along with Lenny Zeltser, Pedro Bueno, and Bojan Zdrnja. My material was on Malware Self-Defenses and defeating those defenses. Day four also includes some in-depth Virtualization detection and Web-based malware.

Although I wasn't able to join in on the podcast, I've listened to it today and can say it is representative of Malware, Malware Analysis, and of course the new Security 610.

Labels: , , ,

Monday, January 21, 2008

Latest Excel Flaw in the Wild

I've been asked more than just a few questions about Microsoft Excel's new vulnerability, so I wanted to lay a few of the issues out on the table.

Some people have essentially declared this a non-issue since it applies only to older versions and have been targeted attacks only.

It has only been seen in the wild with specific targets so far. It is only a matter of time before this is leveraged in a botnet campaign. How many companies and individual users block excel attachments already? How realistic is it for any organization to block incoming Excel attachments? We have seen how the bad guys have used password protected ZIP files to bypass filters. Now the spammers have started using PDF and JPG files to encode their material to avoid filters. Excel is so common, it is only a matter of time before a larger application of this vulnerability is realized.

Specifically, remember how Bugbear robbed filenames from the previous victim's hard drive? What happens when a new vulnerable victim gets a familiar named file from a familiar email address? Even if Outlook has a barrage of confirmation dialogs, the user will override them.

As for underplaying the issue as impacting legacy versions of Excel only--just define legacy. How many people out there upgrade to the latest Microsoft Office version each time a new one is released? Personally, Office 2003 and 2007 have quite a few value added features I recognize as valuable, but many folks need the basics and are quite happy with Office 2002 (XP) or earlier. Also, how many organizations have rolled out sp3 for Office 2003? Most that I am involved with have, but these are the issues to ask yourself when you determine your risk.

The key things to remember is that it is remotely exploitable, there is a key factor that the users will tend to open up important looking Excel spreadsheets anyway, as well as there is little information about a patch (Microsoft's blog announcement claimed that later versions simply did not have the vulnerable code in them--it's not like they found and fixed the flaw yet).

For most users, the best defense for this vulnerability right now is to Upgrade to Office 2003 and patch to Service Pack 3 or just use an alternative Office product such as Open Office. To combat this type of vulnerability with Microsoft Office family products, install the compatability pack and MOICE. Instructions are available under "Workarounds" at

Be sure to keep your operating system and application patched as much as possible to minimize the risk and impact of file and protocol parsing vulnerabilities. With application convergence, the risk of any vulnerability is increasing. There is some wisdom in what my friend Zeke told me last Friday, "Paranoia is a gift, not a disorder."

Update: Government Computer News article quoting myself and my friend and associate John Strand is below

Old Excel may lead to new attacks
01/21/08 -- 02:34 PM New and still-unpatched vulnerability exists in older versions of the spreadsheet program.

Labels: , ,