Outsmarting that malicious document

Most of us would be familiar with the injunction not to open executable attachments. Executable attachments are those files which are sometimes attached to email messages and can be run directly by clicking on them. These days most people have stopped sending executable files via email. A majority of Internet service providers filter out such files. Attackers have now adapted to use documents as a vector of attack. The objective of the attacker as always is to gain control of at least one machine in your network. Once he does that, he is easily able to go through the network and gain control over other machines. Yes, it is possible to have defenses in place and isolate the machine the moment it is infected but that is the topic of another post. Here, I would like to tell you how to avoid getting trapped by malicious documents.

We need to step back and understand why documents work as a vector of infection. Today’s word processors and file readers are very sophisticated applications. They can render almost any kind of file in whatever fancy format you wish. More importantly, they can execute bits of programs as they open. This capability helps you submit things like forms in PDF files, use macros in Microsoft Office applications et cetera. It is this capability that malware authors have begun to exploit. Let us take Adobe Acrobat Reader as an example. Acrobat Reader is a powerful application that can render a variety of PDF files. These files can not only contain text and graphics but also multimedia content. Moreover, you can have forms and other objects embedded in PDF files. Over the years, Adobe has done a significant amount to ensure that malware does not break out of the Acrobat Reader sandbox. However, it sometimes does and this is where the problem starts. As of this writing, there is no way to disable executable content in Adobe reader. The only thing you can do is mitigate the effects of the malware.

In Microsoft Office, from version 2007, Microsoft has made the primary word document format such that it cannot contain executable code. Any file with a docx extension cannot contain word macro code. You need to use a special kind of file which is known as a Word macro enabled file if you want to use macros in your Word documents. The same applies across Microsoft Office.

I am not going to debate which approach is better. Things can and do go wrong. Here are the steps you need to take to mitigate the impact of malicious documents.

  • If you do not expect an attachment, do not open it. The usual caveats about spam apply. Remember, there are no free lunches.
  • As far as possible, do not run with administrator privileges. As long as you run with restricted privileges, even if malware breaks out of the Adobe sandbox or otherwise infects your computer, it will be limited to the privileges assigned to the current user. Malware can escalate its privileges but it needs a hook and that hook is harder to get when you are running as a nonprivileged user.


    I use the term hook in the loosest possible context. Any programmers reading this post should not mistake the term hook for the hook that is used when dealing with Windows messages.

  • Ensure that you keep your systems and applications fully patched. Companies are quick about patching vulnerabilities that are found in their programs.
  • As with any malware mitigation strategy, keep backups handy in case the worst happens.
  • Use services such as open DNS on your Internet infrastructure so that it is harder for malware to phone home.
  • Keep anti-malware applications updated.

Filed under: commonTasks,networking — Tags: , , , , , — security-writer @ December 30, 2013 20:51