How are hackers using RTF files to infect victims and what can my enterprise do to stay protected?
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Rich Text Format or RTF files have long been considered safer file types to share with others. There have been fewer vulnerabilities found in RTF than in other file formats because RTF doesn't have the extensive functionality to attack in an exploit as .doc files have. It does, however, have significantly more features than raw text files, making it attractive to enterprises.
TrendMicro posted a blog describing a social-engineering attack that gets a user to click on a malicious document embedded in an RTF file. (The RTF file format allows other files to be embedded in it, and users can manually open the file directly from the WordPad application in Windows.) TrendMicro reported that malicious files contained instructions in Portuguese or German to open the embedded file to view a receipt which, in actuality, is a malicious CPL or control panel file (used for displaying icons in the control panel) that downloads the Zbot/Zeus malware. This is an uncommon way for the malware to spread.
Note that there are very few legitimate reasons to embed files in RTF files, meaning that any RTF file with an embedded file should be considered suspicious. Enterprises can best protect their endpoints by using anti-spam or antimalware software that inspects email and/or network traffic, or by leveraging devices that use deep inspection to identify embedded files and quarantine them.
Enterprises could also keep endpoints safe by converting all RTF attachments to images or other file formats that don't contain these vulnerabilities; however, this could negatively impact file sharing capabilities. RTF files could also be outright blocked because they're much less frequently used than .doc or PDF files, but this wouldn't stop malware from entering via other file attachments. Enterprises could also consider blocking all file attachments from external email addresses, but this dramatic response could also negatively impact business functionality. Given these tradeoffs, it may be most reliable to rely on endpoint antimalware software or network inspection devices like intrusion prevention systems, antimalware network appliances, next-generation firewalls, etc.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.