For almost as long as people have used computers and networks, malware has existed attempting to compromise, subvert and damage these systems. In the beginning, viruses and worms spread through infected floppy disks and security holes in server-based applications.
With the rise of email and the web, executable files—spread mainly through email and files placed on websites—became a common way to trick users into installing malware on their systems.
These types of attacks were easy for somewhat savvy users and IT departments to avoid and stop. There was usually very little reason anyone would send an executable file through email. Users and businesses blocked or controlled the ability to transmit program files through email and network gateways, while still permitting file types they considered safe, such as Microsoft Word documents, images and other Office Suite files.
But over time documents and Office files changed. They were no longer simple static files with little potential for harm. Products like Microsoft Word and Adobe PDF added macro and advanced capabilities making it possible for documents to work in much the same way as executable programs, right down to the ability to run processes and install other bits of code on user systems.
If people didn't believe documents could be used to spread malware, a little virus named “Melissa” quickly changed their attitude. In 1999 the Melissa virus quickly spread across the Internet and in the process brought down networks and mail servers. Melissa spread by subverting the macro capabilities in Microsoft Word.
We've come a long way since Melissa. Modern document-based malware spreads in a variety of ways—not just through email but sometimes just by viewing the wrong website with the wrong browser and applications installed on your system.
These new types of document-based malware hide malicious payloads within the document itself. These executables and programs get launched separately by exploiting software vulnerabilities within the document and its reader software and continues to spread the malware infection throughout the user's system, these software vulnerabilities are often referenced as ‘code execution vulnerabilities’.
Code execution vulnerability describe a software bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute payload to give an attacker an easy way to manually run arbitrary commands.
An example of a network-based remote code execution vulnerability used in one of the most dangerous computer viruses known as Conficker, exploiting a vulnerability in the Server Service in Windows computers, using a specially-crafted RPC (remote procedure call) request to force a buffer overflow and execute shellcode on the target computer, gaining full control over it. In January 2009, the estimated number of Conficker infected computers ranged from almost 9 million to 15 million.
And while vendors continually try to patch these security holes malware writers use to spread their code, they are usually well behind the bad guys. Today, documents are one of the most common ways malware is spread across the Internet.