XML heaven
Gabor SzappanosVirusBuster
Technical stream: Friday 26 Sept 2003, 15.40-16.00.
XML heaven
Office 2003 introduced a new document format, the single-file XML storage, which stress macros
encoded in the XML body. At first sight it should not be much different from the native binary
format we got used to, but it results in serious performance issues. This paper will investigate
how the new format will affect the scanning of infected and non-infected documents respectively,
in dependence with the file's size.
So far it was extremely difficult to implant a macro virus into an Office without the active
participation of Office itself. Even VBScripts that infected Word documents relied on the
ActiveX server capabilities of Word. For a binary malware to handle properly the
OLE2-WordDocument storage format sandwich was almost impossible. Using a textual representation
makes a lot easier to insert macrocode into an ordinary document. A binary dropper can carry a
copy of an infected macro storage, and insert it easily into an appropriate location in a
Word document. Office is very generous about the appropriate location; therefore the XML parser
of the virus does not have to be sophisticated at all. This could happen on about any platform,
including Unix, Linux and others, where active macro infection was not possible - until now.
The presentation attempts to outline the new attack scenarios that derive from the new file
format.
