SSTIC03 - Malware and file formats

This article explains how many common file formats (DOC, XLS, PDF, HTML, XML, RTF, ...) may hide or trigger malicious code (virus, Trojan horse, ...) using their native features such as active content (macros, Javascript, etc). It was presented at the SSTIC symposium and OSSIR in 2003.

This article focuses on all files that can enter a company network by many different means (web, e-mail, USB sticks, CDs, laptops, etc), most of the time without being properly filtered. Once a file is opened by a user, it can easily trigger malicious actions and put the network's security at risk.

This article describes security issues related to most common file formats on Windows: executable files, scripts, HTML, XML, MS Office, PDF, etc.

A classification of these formats according to risks is proposed, in order to distinguish innocuous formats from potential threats. It may be used to adapt a filtering policy to the system being protected.

This article also presents various technical and organizational solutions available today to be protected against these threats.

NOTE: An English version with updated content (2010) is now available here.