Hello, welcome to the Monday, November 7, 2016 edition of the Sands and Storms and a Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Did he did an interesting write-up about some malicious word documents that he found that use a new technique to bypass whitelisting.

Whitelisting of course is often seen as of the ultimate replacement for antivirus, given

that we want to enumerate all the processes that we want to run, not just malicious processes.

Now what this particular word document does is that first of all,

it loads a PNG file. Now this PNG file is really only one pixel but includes additional

data which is an executable. Then it runs a script that will execute this executable data after the PNG file,

and that now, of course, runs inside the vert process, which already has been approved.

Next, it goes forward and downloads additional malware.

Now, the additional malware would typically then be safe to disk and

ran, which of course is where antivirus and whitelisting would step in and prevent this

malware from running. However, this particular new version is suspending an existing process

like Explorer.exe,

then adding the new malware to this process in memory

and then releasing the process, starting it up again,

and with that also starting the maver that was just downloaded.

So everything runs inside an approved process. This is a

technique that's rather difficult to monitor for you essentially have to look for all

of the possible API calls and such that could be used in order to inject and then

start the additional process. Now of course this would not would not survive a reboot of the system, but

given a trade-off that you do get a stealth malware running, that's pretty much hidden from

...