http://www.foxnews.com/story/0,2933,204953,00.html
PowerPoint Zero-Day Attack May Be Case of Corporate Espionage
Monday , July 24, 2006
By Ryan Naraine
A second Trojan used in the latest zero-day attack against Microsoft
Office contains characteristics that pinpoint corporate espionage as the
main motive, according to virus hunters tracking the threat.
According to an alert from Symantec (SYMC), a backdoor called
Trojan.Riler.F is installing itself as a layered service provider, or
LSP, allowing it access to every piece of data entering and leaving the
infected computer.
An LSP is a legitimate system driver linked deep into the networking
services of Windows. It is used primarily to allow the operating system
to connect to other computers, but virus writers have found a way to make
malicious programs work as LSPs to hijack sensitive data during
transmission.
Symantec, of Cupertino, Calif., said the Trojan also opens a back door on
the compromised system and connects to the "soswxyz.8800.org"
domain. The Trojan then listens and waits for commands from a remote
attacker.
Alfred Huger, senior director of engineering at Symantec, said the dirty
PowerPoint file infects the machine with a piece of malware called
Trojan.PPDropper.C which in turn drops two separate backdoors that give
the attack unauthorized access to the compromised computer.
The first Trojan, called Backdoor.Bifrose.E, logs keyboard strokes,
hijacks sensitive system data and transmit the information back to a
remote server hosted in China.
F-Secure, an anti-virus vendor with headquarters in Finland, said the
Bifrose backdoor file is an uncompressed PE executable that is encrypted
with a simple algorithm. The backdoor is programmed to connect to
"pukumalon.8800.org," which is a free host bouncing service in
China.
The 8800.org domain, like other similar hosting services, has been used
in several zero-day attacks this year, according to F-Secure researcher
Mikko Hypponen.
The F-Secure anti-virus team found backdoors connecting to China-hosted
domains in March 2005, September 2005, March 2006, April 2006, May 2006
and July 2006.
"If you're not in China and your users are not supposed to access
different Chinese services, blocking might not break too many
things," Hypponen said.
"We'd recommend you at least check your company's gateway logs to
see what kind of traffic you have to such services," he
added.
Microsoft declined a request for an interview to discuss the
characteristics of the attacks and referred queries to the company's
PowerPoint security advisory.
Symantec's Huger said the sophisticated nature of the attacks suggest it
is the work or well-organized criminals associated with industrial
espionage.
"It's difficult to say if all the Office attacks we've seen this
year are related to each other but they are using very similar techniques
that are very sophisticated," Huger said in an interview with
eWEEK.
In both the Excel and PowerPoint attacks, for example, there is a
never-before-seen attempt to hide forensic evidence.
"Whether it's the same attacker, we don't know. But this is not a
technique we've seen before. Instead of leaving a dirty file, the author
is overwriting it with a clean file. That's a new level of
sophistication," Huger said.
He confirmed Microsoft's claim that the attacks were "very
limited" but warned against businesses in the United States becoming
complacent.
"Once this type of attack is out, it's very unusual for it to be
limited to just one company. I think it's safe to assume that it's
ongoing, especially since there is no patch for this vulnerability,"
Huger added.
Microsoft plans to issue a patch on August 8 for users of Microsoft
PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint
2003.
In the meantime, anti-virus experts are urging Microsoft Office users to
be on the lookout for suspicious attachments, even those that appear to
come from colleagues internally.
The PowerPoint exploit arrives from a Gmail address with a subject line
in Chinese characters.
Internet security vendor Sophos said the rigged PowerPoint presentation,
which includes 18 slides, contains "humorous" philosophy about
love between men and women.
Check out eWEEK.com's Security Center for the latest security news,
reviews and analysis. And for insights on security coverage around the
Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's
Weblog.
We Hunt Spies, We Stop Espionage, We Kill
Bugs, and We Plug Leaks.
James M. Atkinson, President and Sr. Engineer
Granite Island Group
127 Eastern Avenue #291
Gloucester, MA 01930-8008
Phone: (978) 546-3803
Fax: (978) 546-9467
Web:
http://www.tscm.com/
E-Mail:
jm..._at_tscm.com
Received on Sat Mar 02 2024 - 00:57:27 CST