In the eternal arms race between malware writers and anti-virus vendors, a new front of attack is opening. As security software has responded to the use of MS Office files as a means for malware delivery over email, the attackers have started to shift to the OpenDocument (ODT) file format first popularised by OpenOffice and LibreOffice.
The ODT file format is widely supported by modern version of Microsoft Office and its open source alternatives. ODT files are a zip-archive containing XML. This means many anti-virus products peek into the file and decide it is a zip-archive and scan it less rigorously than they would an MS Office file, leaving malware and malicious scripts undetected. The result is an attacker can use an ODT file to deliver malware which would be blocked if it were contained within an Microsoft Office format file.
Since Microsoft Office will open and process an ODT file, the end user who is the target of the attack has to take no action other than open the file in Excel or Word in order to fall victim.
Cisco’s Talos research team has published a detailed report which examines several recent examples of this technique.