How are hackers using RTF files to infect victims and what can my enterprise do to stay protected?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Rich Text Format or RTF files have long been considered safer file types to share with others. There have been fewer vulnerabilities found in RTF than in other file formats because RTF doesn't have the extensive functionality to attack in an exploit as .doc files have. It does, however, have significantly more features than raw text files, making it attractive to enterprises.
TrendMicro posted a blog describing a social-engineering attack that gets a user to click on a malicious document embedded in an RTF file. (The RTF file format allows other files to be embedded in it, and users can manually open the file directly from the WordPad application in Windows.) TrendMicro reported that malicious files contained instructions in Portuguese or German to open the embedded file to view a receipt which, in actuality, is a malicious CPL or control panel file (used for displaying icons in the control panel) that downloads the Zbot/Zeus malware. This is an uncommon way for the malware to spread.
Note that there are very few legitimate reasons to embed files in RTF files, meaning that any RTF file with an embedded file should be considered suspicious. Enterprises can best protect their endpoints by using anti-spam or antimalware software that inspects email and/or network traffic, or by leveraging devices that use deep inspection to identify embedded files and quarantine them.
Enterprises could also keep endpoints safe by converting all RTF attachments to images or other file formats that don't contain these vulnerabilities; however, this could negatively impact file sharing capabilities. RTF files could also be outright blocked because they're much less frequently used than .doc or PDF files, but this wouldn't stop malware from entering via other file attachments. Enterprises could also consider blocking all file attachments from external email addresses, but this dramatic response could also negatively impact business functionality. Given these tradeoffs, it may be most reliable to rely on endpoint antimalware software or network inspection devices like intrusion prevention systems, antimalware network appliances, next-generation firewalls, etc.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.