June 2, 2006

OpenOffice.org virus debunked by experts

Author: Bruce Byfield

Kaspersky Lab, a manufacturer of anti-virus software, claims to have discovered a macro virus for StarOffice and OpenOffice.org. The claim has received widespread media attention on the Internet as the first of its kind. However, according to experts, the alleged virus is nothing more than the use of a long-existing capability in the StarBasic macro language (also known as OOo Basic). Although the potential for malicious macros exists, they can be easily guarded against.

Labelled Stardust, the alleged virus was first described on May 30 in a blog from a Kaspersky Lab virus analyst who posts as Kostya. According to the blog, "It's written in StarBasic. It downloads an image file (with adult content) from the Internet and then opens this file in a new document." The story first appeared on May 31, with the additional caveat that it is a proof-of-concept virus only, and has not been in circulation.

The next day, the OpenOffice.org home page posted an acknowledgement of the story, adding that the project was consulting with Kaspersky Lab about the virus. On June 2, OpenOffice.org issued a press release, downplaying the story. "This is a known risk with any capable macro language," the release explained, adding, "This 'proof of concept' virus is not new information, and does not require a software patch."

Andrew Douglas Pitonyak, the writer of OpenOffice.org Macros Explained, and generally considered by participants in the OpenOffice.org project as one of the leading experts in StarBasic, was more cautious. Although several posters to the OpenOffice.org Discuss list were quick to point out that Stardust was not a virus in the conventional sense, since it did no harm to the operating system or existing files, Pitonyak wrote in an email, "I consider a 'macro virus' to be any macro that does something malicious without your consent." However, he added that he considered Stardust "far from earth shattering and [that it] hardly elicits a yawn from anyone but the most paranoid."

Pitonyak did go on to say that, in theory, "An OpenOffice.org virus can be just as bad as an MS Office virus. I have seen some people claim that you could not write a virus using OOo, when in fact, it is no more difficult than any other platform." Pitonyak suggested that a true macro virus could use StarBasic's file and directory handling capabilities to trash a hard drive. Alternatively, it could include binary data that could be written to disk, then run, or download binary data from a web site. In the last two cases, he explained, "the macro is merely an infector for the real virus."

However, Pitonyak emphasized that such scenarios are malicious uses of standard capabilities.

Furthermore, as Pitonyak points out, by default OpenOffice.org prompts users whether to enable macros when opening a document that contains one. Those who desire additional protection can go to Tools -> Options -> OpenOffice.org -> Security -> Macro Security in OpenOffice.org and set the programs to run only signed macros from trusted sources, or only macros from trusted file locations on their own system. Most of the danger comes from inexperienced users who might automatically enable macros, or from those who relax macro security so that all macros are opened without confirmation.

Users can have additional security by only running OpenOffice.org on non-root accounts on UNIX-like operating systems such as GNU/Linux or Solaris, or on accounts without administrative privileges on Windows. With these precautions, any damage caused by a macro virus should be limited to the users' personal files.

Pitonyak also acknowledged the possibility of writing a plug-in using Java, Python, or any of the other programming languages supported by OpenOffice.org, but concluded that "it would probably be easier" to use StarBasic.

Despite downplaying the Kaspersky Lab claim, OpenOffice.org's home page now displays a message that says, "Nevertheless, we take even the possibility of a threat very seriously, and engineers are working with Kaspersky Labs on this proof of concept to determine possible precautions and remedies."

However, project members on the Discuss mailing list were more scathing. Lars D. Nooden expressed concern that headlines on articles about the claim would mislead people about the issue. Ian Lynch, the founder of the INGOTS program certification program, was even more direct. While acknowledging that the story might mislead people, Lynch described the original article as "not a story with any substance. The headline is an example of lack of professionalism and certainly lack of technical knowledge on the part of those reporting it."

Lynch is perhaps overstating the case, but the general agreement is that the Kaspersky Lab claim is an exaggeration. At best, it serves as a warning against trusting files from unknown sources. Clearly, it is neither new nor cause for anything more than standard caution.

Bruce Byfield is a course designer and instructor, and a computer journalist who writes regularly for NewsForge, Linux.com, and IT Manager's Journal.


  • Security