Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


PowerPoint Zero-Day Attack Points to Corporate Espionage



 By: Ryan Naraine
2006-07-20
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A second backdoor Trojan used in the PowerPoint attack is installing itself as a layered service provider, allowing it to access to every piece of data entering and leaving the infected computer.

A second Trojan used in the latest zero-day attack against Microsoft Office contains characteristics that pinpoint corporate espionage as the main motive, according to virus hunters tracking the threat.

According to an alert from Symantec, a backdoor called Trojan.Riler.F is installing itself as a layered service provider, or LSP, allowing it access to every piece of data entering and leaving the infected computer.

An LSP is a legitimate system driver linked deep into the networking services of Windows. It is used primarily to allow the operating system to connect to other computers, but virus writers have found a way to make malicious programs work as LSPs to hijack sensitive data during transmission.

Symantec, of Cupertino, Calif., said the Trojan also opens a back door on the compromised system and connects to the "soswxyz.8800.org" domain. The Trojan then listens and waits for commands from a remote attacker.

Alfred Huger, senior director of engineering at Symantec, said the dirty PowerPoint file infects the machine with a piece of malware called Trojan.PPDropper.C which in turn drops two separate backdoors that give the attack unauthorized access to the compromised computer.

Resource Library:

The first Trojan, called Backdoor.Bifrose.E, logs keyboard strokes, hijacks sensitive system data and transmit the information back to a remote server hosted in China.

F-Secure, an anti-virus vendor with headquarters in Finland, said the Bifrose backdoor file is an uncompressed PE executable that is encrypted with a simple algorithm. The backdoor is programmed to connect to "pukumalon.8800.org," which is a free host bouncing service in China.

The 8800.org domain, like other similar hosting services, has been used in several zero-day attacks this year, according to F-Secure researcher Mikko Hypponen.

The F-Secure anti-virus team found backdoors connecting to China-hosted domains in March 2005, September 2005, March 2006, April 2006, May 2006 and July 2006.

"If youre not in China and your users are not supposed to access different Chinese services, blocking might not break too many things," Hypponen said.

"Wed recommend you at least check your companys gateway logs to see what kind of traffic you have to such services," he added.

Microsoft declined a request for an interview to discuss the characteristics of the attacks and referred queries to the companys PowerPoint security advisory.

Symantecs Huger said the sophisticated nature of the attacks suggest it is the work or well-organized criminals associated with industrial espionage.

"Its difficult to say if all the Office attacks weve seen this year are related to each other but they are using very similar techniques that are very sophisticated," Huger said in an interview with eWEEK.

In both the Excel and PowerPoint attacks for example, there is a never-before-seen attempt to hide forensic evidence.

"Whether its the same attacker, we dont know. But this is not a technique weve seen before. Instead of leaving a dirty file, the author is overwriting it with a clean file. Thats a new level of sophistication," Huger said.

He confirmed Microsofts claim that the attacks were "very limited" but warned against businesses in the United States becoming complacent.

"Once this type of attack is out, its very unusual for it to be limited to just one company. I think its safe to assume that its ongoing, especially since there is no patch for this vulnerability," Huger added.

Microsoft plans to issue a patch on August 8 for users of Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003.

In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally.

The PowerPoint exploit arrives from a Gmail address with a subject line in Chinese characters. Internet security vendor Sophos said the rigged PowerPoint presentation, which includes 18 slides, contains "humorous" philosophy about love between men and women.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: PowerPoint Zero-Day Attack Points to Corporate Espionage
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xv㶲 ;^+(}LQvKdKnkǶKޝY$MR~sּ_t%_:3^mKX@ Bw?H9w4ô'1%3TI}"Iͽ{h#(7`)rdxBԲ|WR #Yntj5w5Gl$J{'AT{j" xL9 ΜM}ٜi7'x2 X 8z@'Ajwm(CJp$Z=$? w,8"a}c$aL-ԆNY_5}(D~㖯[zQ-GjR;ғ,f3} 3+i3,-?[:u!usYf0R*CA-t?c;Szqsھy^{7}rڻ&ΧIٙ{F0pgs Z܌vO|3Q&ںa#j庤#3 >_u4>wOHN,mϳ90dio,Y\H.)żM|Y|ěy#0ri4(-ߖAf@w[@0k:u6kiJ5f!`FܼkN49ȡ蟩$m4@r1)6B̄H )&7jt M XRU>I"E[fT}O ${3BDȝ`g@ BD4?CC0&pt/\~_ .aw9Q] +\M޲G <Ǟ4O;Nz~xX18,]evr`\Զ7jG_)CR/JG-dj`qaeJݠcmnywσ@ ti3#|>95Fm'!|Аd mx=Z.33IXn`hqpy4ڭ-%_ >< FNj$ >6(Zχ`j˦Mf@B9{ǻޚA<QБ4|a qjQ?]*~hs-w= } wA,߃9#z[LKx GN }p (~9-RC/1t[t=JI ڂ"D% T h4AǰEENA7;.Vʥ\.y"m':Ν3Tr x&,R,BV-KᗄPf%i2mń(VFNl(0Vf)ra*j +)dz~#JC͸^`é3h{q#%IAg=U檳@tlX+nMo?JՍ݋pz1(+úZJx Hod m_eƠemLGy+-m" IPצ(XkezdxE6*&C 7u=k}0*\TB?[Ȕe0jAsXjgܲ&P `*w`b\0NaNy9tA[fl.n; 6*'l|0ː ;um CM5,v&Ԕfj:Y[^|'+ȁUrqXkjpp0vVׅ=% Υ_8̧םi+@oLsCm0 Ǧ"|Zl"Os=)W}B~*+BQQb/`k@Lf2,rƎe9لAٌ \}ZJ\<897Qo>U< ıLb0qqغeoX~?5Xe;;pM;~ 6AS-cfDL3$!O^'JBOքk&.}yTc DA#E . @ ЏB(rDUX±UcKQ0SKm{hAx-X\>L*ҵ@%ЧCizi}~هF9#*!'HHo?YDjZXZQrTU߬7cSO@H.ǡ3S翼;u 3}h1xPJo?C0t.tȕ`s|eLFմlxTa$Z`F%*'L)`Ճ{3M\PvSmf "8&Զswq5`EY̑z,LHT0u 70-tqC)T뵢¾_Yn+> (L50Ȉ%=GlTlo⻏.1֞m$R*nC01^*== 7S_ -ʶvg˦ɪՆgQyϤ͋p|5] |b9s#ONqLk s0sIl7xv@̬m#w6霎0 M`}G ϓ1WT% `,fqNg epvN{mB9,3?t\kr :_=Fp=Эt;ǚ~;w?Mׂܵ ϡRD71PUL xg4sfDcK6j]+'&GlZ Z;zGd!9i -!?s/=Vip>nzʅJg HW4qMݗ8nH#ohks_R{<@̙5Y* % =EZЋqcꞃSLB.]/$*RQv+ր ki+TTV ?3pa-X,Ԕʑ3H)k(G݉?^nȵ: fIyRTS,.=JMXJP?YTAte]T1n?cVPVW`Zd&s\%\{si0o)Q󩋗J3["X.DД7Ϩ3Rb  kQh-Bwyr`0W?4$NcVqDMc?րh)k03?0RiʊZ+ujMRԞE'sL؞EA(ǡd:)dnQ==׍!n@ &|ݙCadJHT]{ 1 0G\0R=B$Kr]N6[_T b vQ *s>P9ɷwf‰/lCXx|{ `?KXXD>Dif\{e">QXٿ~PkGK( L $q)YUihja{I1A$KO{u=|g| 8}_Ut{AuQaVvҸGZ`>*u/۝U{/R&øDoٷ)P K #F16bd+]=+aoZvta؆;0F@IDW{ABh]^/~{(9^vdcxޕx\O#;R%9!hUHN:<aShmǛ&Ea׏5!麫42l&zE Wq];לY0pz)vB3ZKUe z AE׏6:]?ּ Bp$`$X)XCu:_>GG:Ky5P^S QW2REhIA%;'g <D9FxDw턡nER}CRB'T ˓$/+IYO)eqhd*꒐~*~(i&'ءؠҡ۳_.'8 $O krwisq/P{a%yx4*k85(AuNHqJiIgԢᬖ^}6y;qz])LU9$gy/uϏ*zUb׽msD;1u;2x;zZ1?ݾpne9?jwh{t3q=vbϓ{~\[5("Ξe氎cԆl+ҿܳRpfi#ހkҺ<85L;0g,H~ ;#|$~>xFM{uS意G ڝ9k3rĸEl{25[dؗ{vOKn<]1hn舧lLgI"+W{Uw7}\8%/r{ld+N$c,nP2vA Js[gȞx~K7跷b o|}& ~W*];PI9w뻿~=mҲ(r_ZDNpw5Q${qI%.x}?.K`\Tky^v} ,$>?G{o D:*p&޸,0eHӭ^''\/_z?rR/1;mh+V:27wGĞ>.ԧ3ӆիeq&wR{F)9ԲP-Mv`/KމSUbޡLځ{v9p<2ȩɎ{w~!"4)8H.M$z#Y`J؍K;:Ƅa?sHn nfߩ ljcX? HrEP`@LjMFDQKFFM 6Mj[le6C]K0=r]ٝMk :WW`yJޗ0T_>nk VPb}$0<M/*u|/P Űt{x#C%W&0UD2)C@#-Gj!St y2)O}suQ7 {o'2Q}:#ƛH0)*<0$C6`u ( I0 AVx&\D%4aAX$xg_^!vG+rUMRjrUŹ*>fQ38*CB0("͝ﮗTzqhZI$۩Km<(D$A*f[C|ı]].m*/ X8B:xlײ0)i!H )E1)nּTy:/Ac;eNӄ[dzpm)w.qձN.;~X8P>/ f Z YǾCYLQBy[Ety/9c&R3𷲂ثf_ U؀WOXj66X)&snpgCaggggUdB 0H02mn]u/"r:a_rdUcZ a}&& WbvƊ>ٚ͝_ْUJ/*/[|b!u IInC0O._y yVi4?r|ʯGj<,{lNfOV}48fIw9Dk |i(6W^j oH5҅fbb7dT`e+%,Z!\|{17nD%\Nt%Rח4ܹ\M$ ZR+j;bV o<_t /qa鯄 ^XS3|>Mn~5ͱͱͱͱ;unZo]J]RX$]-pAni[A1!A B|E,atGhoksۚZ^}d1Lvpj;z7{O'b"榒/}J"N#_RLsgA)2y"g+ӡ4Y hR,7V/ VGIA|iGVjť/}m:'dOxw6^4QhnhVl"EciSt^ hÂjb,j>U ,L}3 H¯/95=uaYujۈYޣ3玮dzUKjjN hw>@oZp=W?%4C2ĆKa+IiqlrGN*NagL4skx([0wF7{E!prpBycЃ%>?w}L;4|R__VS - 6/*` ,k;hO7>iPC"&Hm90 j"6?taۙ|b>'{:&rCя"s~P8Pk}-JӪ=k/ Zs0[}yΈBqCb$J]C޻"^tIw'y{Dd',h6A`aV3/0q_n]}LS^thvp^xH)LIG|f6A$HM4rtrx+w8ē{e~OzzݵR#ńg䏥B7o 7~qH e_M BaD0‡ҏqaBK <ߋn!%KZk^Yr+ȈZ~j\!1c❱TA9-Qj5ݽRUBI3=>bTy A6 y^Šx!Vy rTīh pK$$:Ʋr/Adq2In&~iXr>H':t=jh p4JTa 9RRԎsBUQKYJqœ]o '}ZrYXO:Rga^1\VKZ%yGi po2zS,TZ~K"?{| &̋Ht<.&:7Rm;A=~xDLRO\vD! CVY `Oh$~b s2uFf."T( `NNgV\vnsG@F™6 <y3M\[ hj >(4x( kaH!'vQ]Qgx3Bx7t'le>uM7XZ؟0nh"ķ |$rkqC9Ҍf%/zѽHe Ft83*yF2*mGM=/>nr-i`Ik ld Dps<<0mDR,) 00mݚ1;moI=NPOcZ|"{X#&3( y_$R} (bWU T,G,(ϏB5DSJTmn$|s ^60CS,0 Lma`t.Puܣq?]Aff#p͒w\j:rtԨ b8+M4?3,ȏ]MKlݜ(8Z1I(tCK/HzsA!C2_7=}c?ݩ2X((  @Ka1c~PBMФPs]+J9F<>[AguUo VH+^@03%_Ч6#&To`9暭wMZ!ՠۻ$ǝ ¶-J-eڟOzWOz0cal\[d_T ΓQ9l]t283ksYx9% ywf8lxթf/DAwpD(/* F^-Àecn_w}5Zq-;YW'>;tɉcdhw>r: U9i67anq4ħyd@z\34[E9yFPsFPkF5_o.?i2{P(GNl.o ڝ(?\~ 9͠7usͳn;3ʡ݌{Qf~s?3\~3l׼ " {A E}.xiPF9E^^d'eSFeQ~0{ s!?0~׃2?=/ rqWU?~A \c}OYߧ >>eoʁo2ڿh&s$eCPʐ.Np3˹q+/ޯ.? fV"t{rUtKn y;r%> |#r75iohg?>/yd֦WVFkp'k͠~%sS$iN^fJ5G P1=:1ah iۼx[T;7i5@)8?,(s[^FlOB#Vx3&z9&]\ʠaC7ao/Yb+F;c`\';=2gjy }dy0\9+hw]V=ȾwF=CSz  LsvBs1 lJ//ӡxCKQ,V 50=_ou–'"F_!]x'G;W`ػKl>`'X5SǬy@ӟ}Q!je>D% /Ńq`a\m8I(q0݁ԵH714F=sf\)!𰙄i)4u9dGОf@L V8=>/޺{,gl`Erl9GuZCQt#byܝ0܉Ybawpa`O*}qKAflk8cXK1w]Ww-p~K5 D 9bH'^ %m:X3!?cנITÓx`⟐GN"Maџ⌴IBm`y`;_|n!fIკ& ~2gi+-}x= %4Id`m߂9s_ɡ=Ew"郧rSl+.Ġ/3>g'4WBMxXum&$tp;y86M(^9ao5RFXk;MAc;ul>9+wo27& 6L6da)x܃AGR(~Q ~%^ n='IDπnuMf@gYl)VxRDZ9=vļKlmyT? T|- 5\6LDRw }J0~N]jV0N@9DePީik./;v4fR*4$NS xSEzV?ĵ  |wخ;Oq^'dd9a7g۹1cHPWFׁݞV Xo} 8lO.d|}́!Xs#Q%7` <[52D/7ag~ r@c]Tng`wDl .3.OY% hWa)*e71KLP`Ol3!gw6G-ݻ XGx kyf#ŧ3W<2ZP/jdVw@8̝,ӟ~H϶I5"`:Vڕ+zYL1e~}=3ӲG(qu2,@P݌B5`y+@4W qSGgp#15B\ (cto Q1?c=Vqٮ7GL}Ӱ QaW7n MywT \7o]ecAP1W)?&Il}ralX ^|޹+o3Љe{0^Op2$82#" $8zIW{{a0&iE㨤t`C v_Ή~ph;?҈>A wVǰ-XF!&ۅ 7O80Ux|-h\};M_\9/8LgѸ8"?H+b%ӫrXotl#"|f`*H^hI:v' AHcZvC"^ֳo .A|>ǐy6xL k ED;ydMn+:cQEae=JV01{l~r[)#Es̥D/5^JB\sjh6