Fast fingerprinting of OLE2 files: heuristics for detection of exploited OLE2 files based on specification non-conformance presented at Virus Bulletin 2011

by Stephen Edwards (Sophos),


Summary : Today, the main class of malicious OLE2 files currently seen by SophosLabs exploit vulnerabilities in Microsoft Office
applications. These are used to install malware - most often rootkits, backdoors, or downloaders. Ten years ago,
SophosLabs would have been inundated with self-replicating threats or macro-based trojans. As the attack vector has
changed, techniques for detection have also adapted - the knowledge of the OLE2 specification is a powerful tool in the

OLE2 documents are complex, therefore the cost of parsing in order to directly detect an exploit can be prohibitive for a
security scanner. However, it is typical for Microsoft Office file formats to have early records with a significant number
of rigidly defined fields. This paper will investigate whether non-adherence to specification within these fields can be
used as a low-cost heuristic to improve detection of this class of malware. Additionally, this paper will set out which
violations are pertinent to exploit detection via the scanning of diverse clean and exploited files.