lolloj - Fotolia

Manage Learn to apply best practices and optimize your operations.

RTF security: Avoiding embedded malware

The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. Learn how to prevent the threat.

How are hackers using RTF files to infect victims and what can my enterprise do to stay protected?

Rich Text Format or RTF files have long been considered safer file types to share with others. There have been fewer vulnerabilities found in RTF than in other file formats because RTF doesn't have the extensive functionality to attack in an exploit as .doc files have. It does, however, have significantly more features than raw text files, making it attractive to enterprises.

TrendMicro posted a blog describing a social-engineering attack that gets a user to click on a malicious document embedded in an RTF file. (The RTF file format allows other files to be embedded in it, and users can manually open the file directly from the WordPad application in Windows.) TrendMicro reported that malicious files contained instructions in Portuguese or German to open the embedded file to view a receipt which, in actuality, is a malicious CPL or control panel file (used for displaying icons in the control panel) that downloads the Zbot/Zeus malware. This is an uncommon way for the malware to spread.

Note that there are very few legitimate reasons to embed files in RTF files, meaning that any RTF file with an embedded file should be considered suspicious. Enterprises can best protect their endpoints by using anti-spam or antimalware software that inspects email and/or network traffic, or by leveraging devices that use deep inspection to identify embedded files and quarantine them.

Enterprises could also keep endpoints safe by converting all RTF attachments to images or other file formats that don't contain these vulnerabilities; however, this could negatively impact file sharing capabilities. RTF files could also be outright blocked because they're much less frequently used than .doc or PDF files, but this wouldn't stop malware from entering via other file attachments. Enterprises could also consider blocking all file attachments from external email addresses, but this dramatic response could also negatively impact business functionality. Given these tradeoffs, it may be most reliable to rely on endpoint antimalware software or network inspection devices like intrusion prevention systems, antimalware network appliances, next-generation firewalls, etc.

Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)

This was last published in August 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal