Banking trojan executes when targets hover over link in PowerPoint doc

Enlarge (credit: Dodge This Security)

Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file.

The method—which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit—is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload. Those methods are so widely used that many people are able to recognize them before falling victim.

Instead, the delivery technique made use of the Windows PowerShell tool, which was invoked when targets hovered over a booby-trapped hyperlink embedded in the attached PowerPoint document. Targets using newer versions of Microsoft Office would by default first receive a warning, but those dialogues can be muted when users are tricked into turning off Protected View, a mode that doesn't work when documents are being printed or edited. Targets using older versions of Office that don't offer Protected View are even more vulnerable.

Read 4 remaining paragraphs | Comments

Microsoft Office CVE-2013-1331 Coverage

The time between discovery of a vulnerability and the emergence of an exploit keeps getting shorter—sometimes a matter of only hours. This increases pressure on IT managers to rapidly patch production systems in conflict with configuration management and best practices for quality assurance. Many organizations struggle to keep up with the constant release of new patches and updates.

Last Tuesday, June 11, 2013, Microsoft released a security bulletin (MS13-051) which covers a number of vulnerabilities. One of the vulnerabilities has reportedly been exploited in targeted attacks. Attackers can leverage this vulnerability by sending a specially crafted attachment as part of a spear phishing campaign.

Microsoft Office PNG File CVE-2013-1331 Buffer Overflow Vulnerability (CVE-2013-1331)—a remote stack-based buffer overflow vulnerability in Microsoft Office that allows remote code execution. It is confirmed to affect Microsoft Office 2011 for Mac and Microsoft Office 2003 for all Windows platforms.

Symantec currently has the following detections in place for this vulnerability:

Antivirus Signature

Intrusion Prevention Signature

  • Web Attack: Microsoft Office CVE-2013-1331 2
  • System Infected: Trojan Backdoor Activity 12

We continue to monitor this threat to improve coverage and will provide any relevant updates when possible. Symantec strongly advise users to update their antivirus definitions regularly and ensure the latest Microsoft patches are installed:

The spammer who logged into my PC and installed Microsoft Office

(credit: Aurich Lawson / Thinkstock)

It's Memorial Day, all Ars staff is off, and we're grateful for it (running a site remains tough work). But on a normal Monday, inevitably we'd continue to monitor the security world. Our Jon Brodkin willingly embraced a firsthand experience with low-grade scammers in April 2013, and we're resurfacing his piece for your holiday reading pleasure.

It all began with an annoying text message sent to an Ars reader. Accompanied by a Microsoft Office logo, the message came from a Yahoo e-mail address and read, "Hi, Do u want Microsoft Office 2010. I Can Remotely Install in a Computer."

An offer I couldn't refuse.

The recipient promptly answered "No!" and then got in touch with us. Saying the spam text reminded him of the "'your computer has a virus' scam," the reader noted that "this seems to be something that promises the same capabilities, control of your computer and a request for your credit card info. Has anyone else seen this proposal?"

Read 22 remaining paragraphs | Comments