The goal of a malware writer is to create code that isn’t detectable by common antivirus software or network intrusion detection systems. Even if malware is zero-day, good antivirus software can pick up on suspicious URLs encoded into documents and executables. A common vector for attackers is Microsoft Office. These documents use XML to store data including URLs to connect to a remote server. It’s these URLs that attackers must obfuscate to avoid anti-malware detection.
One reason Microsoft Office is so popular with organizations is its ease in embedding other file formats into a document and using the data linked from a remote location. Users can edit the source file and changes display in the destination file opened by the user. Office stores data in XML format that can be seen if you look at the file’s source.
The most convenient, quickest way to see the way Office stores information is to change a Word document from the .docx file extension to a .zip. Double-click the new .zip file and open the XML filed named document.xml in the archive. You’ll see the way Office stores data for Word, including any linked files.
This example is an image file, but linked documents from the web will displays an IP associated with the remote server that stores the linked file. If an attacker uses IP addresses labeled as a malicious site, then most anti-malware defenses will stop the application from connecting to the remote source and quarantine the file.
To avoid antivirus detection, attackers use methods to obfuscate IP addresses. This means that they store an IP address as an alternative value so that it can still be used to connect to a remote location, but the IP stored avoids detection at least for a time. Antivirus researchers continue to update signature files to detect new attacker methods, but a malware writer can create new innovative ways to store an IP address without it being obvious to a reader or protection software that it’s malicious.
The first method is to turn an IP address into a decimal value. IPv4 addresses contain four octets (8 bits). These 8-bit values can be converted to decimal values, which are then stored in the XML content. A decimal value is not noticeably malicious even for antivirus software, but the malware writer’s code can convert the value back into binary when it performs a connection to the Internet.
A second method is using Simple Message Block (SMB) connections. SMB v1 is the primary vulnerability used by ransomware attackers to connect to a local drive in a Windows environment and encrypt its contents. Malware writers can scan SMB ports, connect to the shared directory and manipulate files. With an Office file, the malware writer can copy executables to a shared device to infect other machines and use the SMB connection to a remote attacker-controlled server to download malicious executables. If the network administrator has SMB enabled on the network, this network traffic would not trip notifications from intrusion detection and prevention systems.
Finally, a third common method is to encode URLs into their hexadecimal equivalents. Attackers can encode the entire URL including the domain name or encode just a part of it. Browsers automatically detect hexadecimal encoded URLs provided they follow the right syntax. Each value must have the percent (%) sign prefixing a letter including special characters and whitespace.
For instance, the following hexadecimal value spells out “example.com/maliciousfile.exe” if you were to decode it:
A browser would be able to decipher this URL encoded value and connect to the remote server. It’s not noticeably a URL for the casual reader, and it avoids detection from some antivirus software.
In addition to these obfuscation techniques, attackers can also double-encode values. An IP address can be hexadecimal encoded and behind the hex value is a decimal IP value. Double encoding avoids detection from more advanced detection software that can read one-step encoded values.
The best way to stop these attacks is DNS-based content filters. Every browser connection uses DNS to connect to the remote server, and encoding will not change the DNS query during a browser’s URL processing. Content filters can also help block content from loading locally on a user’s browser, but DNS-based filters stop the attack before any content is downloaded.
Although antivirus is a must for all organizations, using additional anti-malware protocols will ensure that remote connections missed by local machine protection will still be stopped. DNS-based filters are the best method to complement antivirus software.
Anti Malware Protection
WebTitan Cloud includes several categories of malware protection, blocking access to compromised websites, Spam based websites, Spyware, and malicious websites.
WebTitan Cloud offers URL filtering of up to 53 predefined categories including 1 O's of millions of URL's which works in conjunction a cloud-based lookup and real-time classification system to provide an unmatched combination of coverage, accuracy, and flexibility. Rest easy knowing your internet access is safe and secure.
Simply call us today, and you could be adding an extra level of security to your organizations web browsing activity within minutes.
Sign-up for email updates...