How are hackers using RTF files to infect victims and what can my enterprise do to stay protected?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Rich Text Format or RTF files have long been considered safer file types to share with others. There have been fewer vulnerabilities found in RTF than in other file formats because RTF doesn't have the extensive functionality to attack in an exploit as .doc files have. It does, however, have significantly more features than raw text files, making it attractive to enterprises.
TrendMicro posted a blog describing a social-engineering attack that gets a user to click on a malicious document embedded in an RTF file. (The RTF file format allows other files to be embedded in it, and users can manually open the file directly from the WordPad application in Windows.) TrendMicro reported that malicious files contained instructions in Portuguese or German to open the embedded file to view a receipt which, in actuality, is a malicious CPL or control panel file (used for displaying icons in the control panel) that downloads the Zbot/Zeus malware. This is an uncommon way for the malware to spread.
Note that there are very few legitimate reasons to embed files in RTF files, meaning that any RTF file with an embedded file should be considered suspicious. Enterprises can best protect their endpoints by using anti-spam or antimalware software that inspects email and/or network traffic, or by leveraging devices that use deep inspection to identify embedded files and quarantine them.
Enterprises could also keep endpoints safe by converting all RTF attachments to images or other file formats that don't contain these vulnerabilities; however, this could negatively impact file sharing capabilities. RTF files could also be outright blocked because they're much less frequently used than .doc or PDF files, but this wouldn't stop malware from entering via other file attachments. Enterprises could also consider blocking all file attachments from external email addresses, but this dramatic response could also negatively impact business functionality. Given these tradeoffs, it may be most reliable to rely on endpoint antimalware software or network inspection devices like intrusion prevention systems, antimalware network appliances, next-generation firewalls, etc.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
SSL attacks "in stealth mode" are helping attackers avoid detection and analysis. Expert Nick Lewis explains how to discover and defend against the ...continue reading
Learn how sinkholing is helping security experts analyze infected devices and even disable malware in compromised endpoints.continue reading
Motion and gestures are being used for mobile malware detection on smartphones. Learn how this method works and whether it is a worthy addition to an...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.