Jan, Does full-disclosure need a digg.com style social news and voting site? lemme know.. i'd be happy to build one for your community.
see: http://digg.com and http://wimax-coverage.com and http://iptv-coverage.com On 12/7/06, Jan P. Monsch <[EMAIL PROTECTED]> wrote: > Hi > > Last week I have been googling around for comments and reactions from my > report "Malware Detection Rate in Alternative Word Formats" > (http://www.iplosion.com/archives/3) which was posted in the ISC diary on > August 23rd, 2006 (http://isc.sans.org/diary.php?storyid=1630). To sum it up > there has not been a lot of reactions in magazines or the like but it got at > least the attention of the malware research community. > > There is this very interesting follow-up article from Christoph Alme in the > October 2006 edition of the Virus Bulletin. The two page article "Scanning > Embedded Objects in Word XML Files" > (http://www.securecomputing.com/pdf/CAlme_VBOct06.pdf) which elaborates how > AV products can identify embedded objects in Word XML files. He shows that > XML documents can be manipulated slightly, within the flexibility offered in > the XML standard, and still are considered valid Word documents. Using the > same VirusTotal-based testing method as I did, he demonstrates that all > existing AV products can be bypassed. As you might remember my initial paper > there were only three AV products capable of finding embedded malware in my > run-of-the-mill XML documents. > > So what does this tell us: The most likely reason is that these three virus > scanners do not really understand XML document format. They most likely have > no XML parser integrated or the parser only implements the XML standard > partially. This once again melts down to the conclusion that the decoding > capability is the name of the game. > > Now let us speculate that AV products will integrate a complete > off-the-shelf XML parser. Will this help? Well it will help to properly > decode XML documents but it will most likely introduce new vulnerabilities > in AV products so far unheard of. (Actually the motivation I am writing this > article is to prevent AV vendors to release such broken products). Let us > take XML external DTD references as an example. If the XML parsers are used > in default configuration or are not configured properly, scanning an XML > with an external reference will result in requests to external sites. That > is nice. This would allow an attacker to track malware distribution or > download additional exploit files to the scanning system. > > With the release of Office 2007 a couple of days ago, which will have the > Office Open XML format as standard storage format, the urge for XML enabled > AV products will grow. My retesting today shows that the detection rate of > Netsky as an embedded object in a Office 2003 Word XML is still at the same > level as 3 months ago. I fear that the AV industry is not quite yet ready to > protect their customers against XML delivered attacks. > > Kind regards > Jan P. Monsch > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Robert Q Kim, Wireless Internet Provider http://evdo-coverage.com/satellite-wireless-internet.html http://evdo-coverage.com 2611 S. Pacific Coast Highway 101 Suite 203 Cardiff by the Sea, CA 92007 206 984 0880 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
