• United States



by Dave Gradijan

Innocuous Worm Wiggles Past OpenOffice Security

May 25, 20072 mins
Build AutomationCSO and CISO

The first cross-platform worm specifically tailored for the open-source and StarOffice productivity suites has raised a few hackles in open-source circles, since it appears to tarnish the suite’s reputation for security.

In some ways, the worm, which Sophos calls SB/Badbunny-A, is insignificant. It is not very well written, and is so unlikely to spread that the virus writers e-mailed it to Sophos themselves, the company said.

What has open-source fans riled, however, is the fact that a functional worm exists at all that can exploit OpenOffice’s scripting features to carry out potentially malicious actions and to spread over the Internet.

Macro viruses have been around for decades and are a well-known problem for Microsoft Office. That makes it all the more perplexing, some industry commentators said, that a proof-of-concept worm has been put together that can exploit the relatively new, open-source OpenOffice suite in exactly the same way.

Badbunny executes when a user opens a file called badbunny.odg. It attempts to download and display an indecent picture of a man in a bunny suit performing a sexual act in the woods, according to Sophos.

The worm carries out different actions depending on the operating system, working on Mac OS X, Linux and Windows, the company said. On Linux it attempts to spread via XChat or mIRC scripts.

Sophos Director Mark Harris said the worm appeared to have been written solely to prove that OpenOffice and StarOffice can easily support such malware.

“This harks back to the old days of malware when it was written to show off computer prowess,” Harris said in a blog post. “The focus has changed over the years and is now about making money.”

Some in the open-source community said it was absurd that no mechanism has been put in place, even in modern, open-source applications, to do away with such dangers as macro viruses.

“We’ve known about macro viruses for 20 years, and the danger of putting executable code in documents for about the same, and yet, in 2007, an open-source application, backed by a major Unix vendor is released with this vulnerability?” wrote one reader on the Slashdot discussion site. “Apparently many eyes do not make bugs shallow.”

—Matthew Broersma,