Hello and welcome to the Tuesday, March 3, 2006 edition of the Sands International

Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in Purple Teams operation.

When attackers are attempting to obfuscate what they're doing, they often take advantage of compound document formats.

We're trying to sort of wrap one document into another document type, and then of course

it becomes more difficult to figure out the actual malicious part. DDA has a quick diary

up on how to use his tools in order to analyze one particular type of these documents, and that's

a zip file inside an RTF. Yes, that's legal,

that's perfectly fine, and of course a particular type of zip file would be a Word document,

because these Doc X formats, well, they are really just compressed zip files. So the DA is walking

you here through a particular

example and showing how to not only extract this sort of mess of convoluted documents,

but also then extract URLs, for example, which of course could lead you to then additional

exploit attempts or malicious documents.

One commenter point out that the document that DDA here happened to use in the blog post,

which actually also covered by Akamai a week or so ago,

because it was one of the documents attempting to exploit Microsoft vulnerability that was patched in February.

So a relatively recent vulnerability was being exploited using this particular document.

And well, the voyage to finally end up with a quantum safe internet is continuing. And the next challenge here is

certificates. There are two interesting blog posts that are sort of related to each other, one by Cloudflare,

one by Google about how to solve this particular challenge. I'll link to the Cloudfair one.

I like that a little bit better in the explanation, but there's

...