,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground email@example.com
This article will try to explain a new way of infecting openoffice documents. Other OO virii have been written using the basic programming language offered by OO, like Starbucks, Stardust or the multi platform BadBunny. It is possible to infect the documents using their simple structure. Let's go!
An OO document is simply a zip archive, so you can "open" a document with any archiving program. This is what you get (it should be the same for all OO documents, created by writer,calc, draw etc...):
How you can see the archive contains text files and directories, I will not waste much time explaining all of them, their name suggest their meaning. Looking deeper I noticed the directory "Basic", it contains the macros defined in the document. This subdirectory contains:
The directory "Standard" contains:
Eureka! The file "UserDefined.xml" contains the basic code of the macros!!! We have to play with this file to infect a document using our own macro code. This is what it contains in my example file "Example.odt" (its name is ExampleMacros.xml):
The file is an xml document, it can be parsed in many ways, using libraries or writing your own procedures. We should do a check, infact it's possible to save the documents in an encrypted form using a password, let's look at script-lb.xml (this one is in my example file).
We have to check library:passwordprotected, if it is set to true, the document is encrypted.
We can infect it in two ways (maybe there are more, be creative!)
I prefer the first one (the second one is useless for me), so our injected code should look like this:
So my example file "ExampleMacros.xml" would become:
Our Sub could be also multi platform, look at BadBunny in DoomRiderz#1 for an example, to be more portable. This task could be done in languages like python or C++ that have libraries that help you to accomplish this job (unzipping,xml parsing,rezipping). This is the flow of the infection process:
An other idea for a nice payload could be editing "content.xml", so the user will see your message!
This is an example C# program that shows you how to parse the xml file containing the macro code:
You will need also the file module.dtd (it's attached to this article) to make this proggy works. (My suggestion is to read the xml file in a "raw" way, without using classes or other stuff).
The explained technique can be expanded in more original ways. OO is a nice suite, but its format is too vulnerable to this kind of attacks. For any comments you can send an e-mail to firstname.lastname@example.org Web: http://vx.netlux.org/wargamevx - http://vx.netlux.org/doomriderz Bye!
A big thx goes to all #virus,#eof-project,#vx-lab @ undernet