detect executables embedded inside MS Office documents?

Julian Field MailScanner at ecs.soton.ac.uk
Mon Apr 7 16:41:21 IST 2008 


Furnish, Trever G wrote:
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
>> Of Julian Field
>> Sent: Sunday, April 06, 2008 11:09 AM
>> To: MailScanner discussion
>> Subject: Re: detect executables embedded inside MS Office documents?
>>
>> Ignore all previous requests for information. I've got enough 
>> of it, pretty much.
>> The only thing I cannot handle is inserted OLE "Packages" 
>> that contain multiple files. If someone fancies creating one 
>> of those and sending it to me, I'll improve the Package 
>> parser to cope with it.
>>
>> But it now works with files inserted into Microsoft Office 
>> documents just fine.
>>
>> This will be in the next release.
>> I guess it's a fairly major new feature, the ability to 
>> extract embedded files from Microsoft Office documents.
>> :-)
>>
>> I think I'm going to have a rest now...
>>
>> Jules.
>>     
>
>
> Wow!  I didn't really expect much response on that request!  Thank you
> very much!  I look forward to testing, although I'll admit I'm also
> hoping the method itself never takes off in the malware world.
>   
No problem, I thought it was a nice idea. Fortunately Microsoft have 
actually published the spec of the Office documents, so it's now 
possible for people to write parsers without having to reverse engineer 
everything. I still had to reverse engineer the "Microsoft Packager" 
format by hand, as files are embedded in a Microsoft Package before 
being put into the Office document.

I have already released a beta with the code in it, so you can test it now.

If you want to show your gratitude, please feel free to make a donation 
or buy me some stuff from my amazon.co.uk wishlist. Full directions are 
on the website.

Cheers,

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/2edaa79b/attachment.html

More information about the MailScanner mailing list