ISC StormCast for Wednesday, November 8th 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 8 November 2017
⏱️ 7 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Wednesday, November 8, 2017 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes. |
| 0:08.8 | Ulrich, and today I'm recording from Miami, Florida. Xavier came across a fairly convoluted, an interesting infection vector that he saw being used in some spam that he caught in his spam trap. |
| 0:24.4 | It all starts out as so often with an RTF document. |
| 0:28.7 | That document then downloads a URL that includes an XML document. |
| 0:35.3 | The XML document then uses the Microsoft HTML application host in order |
| 0:43.2 | to grab another URL that includes an obfuscated VBA script. Now this visual basic for |
| 0:50.8 | application script is where it gets sort of interesting. It first kills all |
| 0:56.0 | Word instances and then checks which was the last Word document opened, which of course should |
| 1:03.7 | be the original RTF document. Now it uses that RTF document to extract a form that's then being displayed in VIRT. |
| 1:13.6 | So VIRT is restarted, kind of pretending like nothing happened. |
| 1:18.6 | And then an executable that was added at the end of the document is executed. |
| 1:25.6 | DDA also saw a second Visual Basic script being downloaded, but that script was |
| 1:31.9 | never executed, so not really clear what it's for. Maybe the malware wasn't quite done yet. |
| 1:39.1 | Now, from a defensive point of view, these documents are actually pretty easy to spot because |
| 1:46.0 | the Windows binary is essentially just appended to the end of the document. |
| 1:52.0 | You will see that string, this program cannot be run in DOS mode within the file. |
| 1:59.0 | So a simple rule here. If an RTF document that claims to be a Word document |
| 2:03.6 | does include this string, this program cannot be run in DOS mode, it's probably malicious. |
| 2:11.6 | And the initial download is accomplished with the include picture feature. Again, that string include picture is in the clear, |
| 2:21.4 | easy to detect. And if you're listening to this podcast, you probably know enough about security |
| 2:27.5 | to not just plug untrusted USB sticks into your computer. Typically, we're really more afraid here about malware that may either automatically or accidentally be executed when we plug in this USB stick. |
| 2:45.0 | But it turns out, in particular, if you're using Linux, there are actually a large number of unpatched vulnerabilities |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.