'Corrupted' Files Could Bypass Antivirus, Infect PC

Hackers have found a sneaky way to bypass antivirus software by intentionally corrupting documents. As always, human vigilance remains a key weapon against such tactics.

Putting malware into file attachments and persuading people to open them remains one of the key ways attackers operate. Often such tactics involve taking advantage of known security flaws in popular software or in operating systems.

The current attack is somewhat more targeted: the documents contain a QR code in the hope that either the user (manually) or the device (automatically) will scan them and open the associated website. This is a fake Microsoft login page designed to trick users into typing in their account details.

HR Message a Trap

Security researchers say the campaign they spotted has been running since August and appear to be targeted attacks, with the bogus documents appearing to be from the human resources department of the victim's employer, usually claiming to relate to salary or other benefits. (Source: bleepingcomputer.com)

In this case, though, it's not the content of the documents that's attracted the attention of the security community, but rather the way they are designed to bypass security scanners. Ideally rogue documents and files such as this will be flagged either by scanners in the email service, in the operating system's security tools, or through standalone security software.

The catch here is that the attackers are using either Microsoft Office document files or zipped archives which are intentionally corrupted. This is done in a way that means security scanners can't read the file properly and thus can't spot anything amiss.

Fixing "Problem" Creates Problem

The corruption is carefully crafted to take advantage of the fact that operating systems and applications can automatically repair corrupted files and/or recover the data. This means they can open them, creating the security risk. (Source: scworld.com)

Ideally security software developers will now update their tools to either cope with supposedly corrupted files (for example, repairing them and opening them in an isolated "sandbox" to avoid any damage) or at least warning users of a potential threat when they can't scan a file.

In the meantime, the best advice to users remains to be suspicious about any unexpected link or attachment, even when coming from a trusted source.

What's Your Opinion?

Are you surprised at this apparent loophole? How often do you receive file attachments? Do you use automatic or manual scans of attachments and does this make you confident about opening them?