Although a much less technical evasion technique, utilizing file type tricks to deploy malware is nonetheless quite effective. Particularly with malware distributed via email phishing attacks — by far the most common way in which malware is distributed — using common file types helps malware fly under the radar.
Even with no other protections in place, it is not uncommon for email server admins to block emails containing executable attachments because these are rarely sent legitimately and pose a high risk with the prevalence of malware phishing attacks. A ZIP file, however, can contain an executable, but because it is more common for legitimate ZIP files to be sent may not be blocked like an executable file would.
Conversely, some malware uses lesser-known compression or archive types in the hope that their obscurity will keep them off of the lists of file types to block. In this case, common compression software will still be able to handle the file, if not the OS-supplied option. For example, 7zip will handle just about any compressed file and/or archive and is widely used, largely due to this versatility.
Why Windows is a popular malware target
The vast majority of malware targets Windows operating systems, which presents a unique advantage when it comes to file types for malware. Unlike most other operating systems, which check the content of a file to determine what type of file it is — and in turn what software to open it with — Windows takes file types at face value, only considering the file extension provided in the file name. By default, this extension is hidden for common file types as well. This presents a couple of opportunities to attackers.
First, they can attempt to trick users by using multiple file extensions since the last, actual extension of the file may be hidden from most users. For example, calling a file “Vacation Photo.jpg.exe” will simply show up as “Vacation Photo.jpg” to any users who haven’t enabled showing file extensions, but it is an executable file and will be run as such.
Second, there are instances where specific file extensions can cause a vulnerable piece of software to run the file rather than the usual software that would run that file type. One example of this, which was used quite a bit in the past, was to cause Microsoft Word documents to run in WordPad instead (which still supports the file type) by giving the document file the .rtf extension instead of .doc, which was the actual file type. The document file contained a vulnerability for WordPad and by utilizing the default mapping of .rtf files to WordPad, the attacker could cause the file to be executed in WordPad.
Hiding attacks using common file types
While clever file extension tricks can be effective, utilizing file types that users are used to using a lot — perhaps even on a daily basis — can be very effective both at getting users to actually run the files as well as bypassing more simplistic security protections given the volume of legitimate files seen. The Stagefright exploit for Android was used through image files, certainly a file type common to mobile devices.
On computers and especially in the business world, document file types — namely Microsoft Office files and PDF files — are both incredibly common and support scripting languages with which to write malware into the files. These scripting languages are also used legitimately as well, and thus merely containing them is not enough for anti-malware software to simply block the file without further analysis.
With Excel spreadsheets especially, the prevalence of (sometimes questionable in implementation) custom macros to fulfill business needs can blur the distinction between clean and malicious files. In fact, during my tenure as software engineer for ATP there were few techniques a malicious macro might use that I didn’t encounter at least one false positive for (that is, a legitimate file that was marked as malicious), even including writing to the registry.
How attackers use macros and scripts
Malicious Microsoft Office files primarily rely on macros written in VBScript (with the exception of the DDE vulnerability when it was first discovered), whereas malicious PDFs typically utilize JavaScript. However, both scripting languages often use the ability to make Windows system calls via a WScript shell in order to execute the malicious code.
The WScript Shell provides an API to interact with aspects of the system that VBScript and JavaScript alone can’t, such as starting a process or interacting with the registry. WScript also offers one of a few techniques for downloading a remote file, which is quite common since many Office and PDF malware variants simply act as downloaders for an additional payload. It is also not uncommon for the payload to be encoded in the document to be decoded and run by the script, which would make the document a loader instead.
Of course, documents can contain the final payload rather than acting as an intermediary, but executables can take advantage of the obfuscation and encryption techniques covered in the last article more easily. It is also very common for malicious documents to simply contain a link for a user to click on that leads to the malware, although it would be more accurate to call such documents phishing rather than malware.
The human element
Even with document-based malware, user interaction is often a factor. Versions of Microsoft Office that haven’t been updated to include the change from earlier this year (last year for some update channels) that disables internet-downloaded macros require the user to perform actions in order for the macro to run. The visible content of the file might even be the instructions on how to do this and perhaps a false premise as to why it should be run in the first place.
Even simple links to remote malware still require the user to both click on the link and run the downloaded file. More so than with executable files, social engineering is a vital component to the success of most document-based malware. While this can give users more chances to recognize that something is off about the file, it is nonetheless still very effective and this success contributes to the continued prevalence of document file types as an attack vector.
You can read the rest of the Malware 101 series here.