PowerPoint 0-Day Points to Corporate Espionage

Rakesgate writes "A second Trojan used in the latest zero-day attack against Microsoft Office contains characteristics that pinpoint corporate espionage as the main motive, according to virus hunters tracking the threat. This eWeek story walks through the attack, which uses a tainted 18-slide PowerPoint file, a Trojan dropper, 2 Trojans and a server in China that is used to communicate with compromised machines." From the article: "'Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing, especially since there is no patch for this vulnerability,' Huger added. Microsoft plans to issue a patch on August 8 for users of Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally."

Supsicious Files

[neonprimetime]

In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally

But what if you receive a Power Point presentation from your manager called "ReadThisOrYourFired.ppt"? It looks suspicious, but oh the dilema.

Re:Supsicious Files

[Opportunist]

Gotta be a scam. My boss CAN spell.

And he'd write in German!

Re:Supsicious Files

But what if you receive a Power Point presentation from your manager called "ReadThisOrYourFired.ppt"?

Open it in OpenOffice.org Impress.

This is an example of why it's risky to use file formats that are only supported properly by a single application.

Re:Supsicious Files

[WhiteWolf666]

Simple. You're really not thinking like a PHB. Stop thinking like an engineer, and start thinking like a moron!

You receive said PowerPoint. You immediately set out to install a special PowerPoint Viewing Cart, complete with portable generator, portable PC, portable projector, and portable screenbooth (think 4 Chinese folding wall screens with a roof). Even though you've created a special system to "isolate" your PowerPoints, you make sure it's got full network access via 802.11, with RW support on all shares, globally.

If you can't build this setup by stealing the parts from a coworker's desk or the conference room, order them all. Better yet, setup an auction website where suppliers can bid on the various parts of your setup. You, of course, send money before you receive product; after all, you've gotten the lowest cost option, so you can risk the capital.

Then, watch said PowerPoint on the PowerPoint Viewing Cart. Proceed to tell boss that you thought this high priority PowerPoint was, indeed, from him, and that since it blew away the PowerPoint Viewing Cart, you now need to spend the rest of the week repairing it. If he asks you why you are repairing it, make sure to make it clear that you want him to be able to view the high priority PowerPoint he had just received, "ReadThisNowOrYourStockOptionsWillExpire.ppt" . Explain to him the virtues of private viewing environment, portable generator, and dolby surround sound.

Voila! Much like any MSCE, you've turned a Microsoft Product into a never ending source of contract work, all without quitting your day job.

Re:Supsicious Files

You could open it in Open Office. PPT macros aren't very portable.
Yet.
--
AC

Corporate? Pshaw...

[Linkiroth]

"Symantec's Huger said the sophisticated nature of the attacks suggest it is the work or well-organized criminals associated with industrial espionage." Now, now, Symantec. Everyone who's seen any 007 movie knows. It's not the criminals that are taking down the evil corporation... ...it's the british. ::walks off, whistling James Bond theme::

Re:Suspicious Files

[Mr.+Bad+Example]

> But what if you receive a Power Point presentation from your
> manager called "ReadThisOrYourFired.ppt"?

I'd quit. I refuse to work for anyone who can't tell the difference between a possessive pronoun and a contraction.

August 8?

[alphasubzero949]

Who wants to take bets that someone will have a patch out there before MS does, much like with the WMF flaw?

How many more machines have to be compromised before users begin to take matters into their own hands?

The arrogance of MS is astounding. And don't say it's because of testing.

Re:August 8?

[evil+agent]

Testing is a big reason. But the bigger reason is unmaintainable code.

Re:August 8?

[Techguy666]

How many more machines have to be compromised before users begin to take matters into their own hands?

The arrogance of MS is astounding. And don't say it's because of testing.

In the words of Paul Thurrott, "Ah well."

Re:August 8?

[Chabil+Ha']

Doubtful. The WMF flaw was a bigger threat, as far as those affected. I also imagine that the WMF flaw got a lot more press than this one. Those two resons combined made it a high profile patch for someone to show off and crank one out before MS.

Re:August 8?

[andrewman327]

So do you think that OpenOffice has similar flaws waiting to be exploited? Does that program provide true security or security through obscurity?

Re:August 8?

[Opportunist]

The WMF Exploit was not targeted. It was sold as a roll-your-own-spreader kit and a lot of people used it to spray their own malware over the net. It was a threat to the net community at large.

The office exploits (not only this one, but also its predecessors that targeted Excel and Word) are carefully crafted, targeted attacks against very specifically selected companies. It's even for AV companies not an easy task to get a hold of some of these malware products, so it is very, very unlikely that we'll see a sizable spread to the wild any time soon (at least before the next patchday). Of the various Office-Overflow-Exploits, I only know of a Word variant that had any remotely relevant in the wild spread.

Doesn't warrant writing your own patch code. Especially with StarOffice being a very handy replacement to the problem.

Re:August 8?

[evil_Tak]

OpenOffice's code is a nightmare. That's why they still haven't released an x86-64 port.

Probably more important is not to run it on top of an OS that blindly gives it access to kernel-level network service code.

Re:August 8?

OpenOffice has a smaller user base, and the OpenOffice user base (just a guess) is on average more technical than user base of MS Office. However, if there was a reason to exploit OpenOffice, I guarantee we would see similar exploits.

Re:August 8?

OpenOffice's code is a nightmare. That's why they still haven't released an x86-64 port.

Probably more important is not to run it on top of an OS that blindly gives it access to kernel-level network service code.

Actually, Linux/Unix does blindly give user-mode applications access to kernel-mode network service code, if those applications are running with root privileges, in that same way that installing kernel-mode code on Windows requires Administrator privileges. If you're running as an ordinary user, you obviously can't modify kernel-mode code on either system.

If corporations are letting their users run Windows with Administrator privileges (or Linux/Unix with root privileges), they've only their own stupidity to blame if those users start installing malicious kernel-mode code (unlikely on Linux/Unix, however, since it's hardly ever a target).

Sweet Excuse!

[bigtimepie]

lookout for suspicious attachments, even those that appear to come from colleagues internally

Sorry, Boss, I never got those reports... the IT guy told me I shouldn't open attachments until the new MS patch is out!

Re:Suspicious Files

[neonprimetime]

I refuse to work for anyone who can't tell the difference between a possessive pronoun and a contraction.

That's what I meant by suspicious! What were you thinking I was thinking?

Re:Suspicious Files

[gEvil+(beta)]

I'd quit because I refuse to work for anyone who uses PowerPoint as a primary form of communication.

MS, grrr

[joe+155]

I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th. Why not let those people who are willing to risk the very small possibility of a problem caused by the patch but don't want to take the serious risk of their system getting cained by some black hat in China get the patch when they want it?... especially home users for whom a patch would pose very little problem even if it was badly written

Re:MS, grrr

[Nutria]

especially home users for whom a patch would pose very little problem even if it was badly written

That's just about the dumbest thing I've ever read on Slashdot.

Re:MS, grrr

I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th.

If you're waiting until the 8th Tuesday of the month for your patches, you'll be waiting a long time.

Re:MS, grrr

That's just about the dumbest thing I've ever read on Slashdot.

Easily fixed... http://slashdot.org/~drsmithy

Re:MS, grrr

Hahah screw that I'm modding it down

Re:MS, grrr

Umm... the 8th is the SECOND Tuesday in August...

Not many months have the first (insert name of day of week here) of the month on the 8th day, what with there being only 7 days in a week...

Chinese Firewalls

[ArcherB]

Why can't the Chinese set up thier firewalls block this kind sh*t?

Re:Chinese Firewalls

[MarkByers]

Why can't the Chinese set up thier firewalls block this kind sh*t?

That's a ridiculous suggestion. It's not the job of the Chinese government to monitor all traffic going in and out of China.

Oh wait..

Re:Chinese Firewalls

[vishbar]

[Puts on tin foil hat]

Sometimes I'm suspicious of the Chinese government..well, actually, ALL the time I'm suspicious of the Chinese government. They call it corporate espionage...what if it's just...well...regular espionage by a curious Communist nation?

Of course, this is complete tin foil hat speculation with no good evidence to back it up, but the suspicion still rests in the back of my mind.

Re:Chinese Firewalls

[db32]

Try again...you are asking the wrong question.

Won't may be more appropriate. Why would our 'enemy' and largest competitor want to stop themselves from stealing our secrets?

Re:Chinese Firewalls

[Opportunist]

Let's see... Malware writers invest time to infiltrate companies in the so called "free world" to deposit payloads that drop keyloggers and password gatherers that send info towards servers standing in China...

Nope, can't see a reason why the Chinese government would not block that...

Re:Chinese Firewalls

[ArcherB]

In a communist country, all business is owned and controlled by the government. So corporate espianage is government spying. (insert mother russia joke here).

So, put your tin-foil hat back on. It is warranted.

Re:Chinese Firewalls

[MK_CSGuy]

Because then patching a severe 0day exploit would take 5 weeks Regular-Government-Time instead of the regualar 3 weeks.

Re:Chinese Firewalls

Why can't the Chinese set up thier firewalls block this kind sh*t?

That's a ridiculous suggestion. It's not the job of the Chinese government to monitor all traffic going in and out of China.

Oh wait..

They gave up network neutrality -- now they're responsible. :)

Re:Chinese Firewalls

[vertinox]

Why can't the Chinese set up thier firewalls block this kind sh*t?

Who says this isn't the Chinese government sending out the PPT files?

Re:Chinese Firewalls

[Firehed]

(insert mother russia joke here)

This'll have to do...

In Communist China, Tinfoil hats wear YOU!

Re:Suspicious Files

[alphasubzero949]

But Al Gore uses PowerPoint. Who wouldn't want to work for him?

Click ME!

[digitaldc]

• Subject: Click on this attachment, and all your wildest dreams will come true.

Well, it worked for Napoleon Dynamite....."CLICK"

----->BSOD: All Your Assets Are Belong To Us!

gratutious

[LeonardsLiver]

"Sombody needs to tell the Chinese to stop doing this shit..."

Time to switch...

[Anne+Honime]

OpenOffice.org wants YOU !

The theory is...

[MarkByers]

why force everyone to wait until the 8th.

The theory is that once the patch is out, crackers will reverse engineer it to make new exploits, increasing the security risk for other companies.

It also gives Microsoft a good excuse to be slow to patch, but that's just my own personal theory. ;)

Corporate Espionage

[panaceaa]

Is corporate espionage actually valuable? I'm currently working at Adobe, and development plans are pretty widely discussed amongst employees. If something were to leak, I'm not sure what the value of it would be. The only real data points that are heavily protected are financial results and projections, and the product release dates that those rely on. But I'm pretty sure those are only protected for Wall Street purposes.

What kind of data do corporate spies hope to obtain? Would that data be actionable -- e.g, could a company come up with a competing product and be first to market if another company's already half way there?

Re:Corporate Espionage

[toybuilder]

Corporate espionage can include things like customer and vendor lists, and product pricing details. And, many companies are quite secretive about their leading edge R&D.

Re:Corporate Espionage

[ikandi]

Not for Adobe competitors - there aren't any.

Re:Corporate Espionage

[Angostura]

So you knew about the Macromedia buyout how many weeks in advance?

Re:Corporate Espionage

[panaceaa]

Valid point :). But again, that has a lot to do with the stock market. I think a better argument is toybuilders' -- Channel operations, distribution channels, and suppliers are definitely ripe for competitive challenges. A down-to-earth example is eBay Powersellers, who tightly guard their inventory suppliers since someone could easily come in, buy from the same supplier, sell for a slightly lower amount, and steal the entire market.

So after reading the points of you two, I realize there's a lot more to steal than R&D-related data :).

Re:Corporate Espionage

[nephillim]

That would probably depend on the buisness
If Coke were able to find out the recipes for all it's compeditor's colas then they could release
Coke-P - coke that taste's just like Pepsi
Pondwater - Coke that taste's like RC-Cola

Maybe your proprietary secrets are the customers themselves... do you want telemarketers (or worse) stealing your information from another company?

Re:Corporate Espionage

[panaceaa]

Don't be silly :). I really can't talk about competitors openly, but you needn't look much farther than the Microsoft Expression suite to see there's competition. Almost every Adobe product has competitors.

Re:Corporate Espionage

[Jeff+DeMaagd]

Almost every Adobe product has competitors.

Yes, and Microsoft Windows and Office has competitors, but in the broad view of things, those competitors don't seem very relevant. I mean, for vector graphics, it would seem that there is only one real choice, and that's Illustrator. Indesign has competitors but in many respects, the markets for those are different. For raster images, Photoshop seems to be the only product in its class, other image programs exist but either have a different focus, a different market or generally isn't taken seriously.

I will be buying CorelDraw soon, but not necessarily because it's the best (I really don't know), but it is the software package that is best supported by the piece of machinery that I am buying. CorelDraw seems to have a niche in that particular category of machinery, the three companies I've investigated recommend CorelDraw, and I didn't ask why they've settled on that.

The site suggests that those Microsoft products aren't available yet as anything more than a preview, not something I'd trust to a paying project like I might with an Adobe program.

Re:Corporate Espionage

[Renraku]

You know that the chinese can make 90% accurate ripoffs of expensive-but-cheap items like Oakleys, rolexes, etc..you know how? Espionage. Most of the time those near-perfecto replicas come from a Chinese factory that got ahold of the plans and/or schematics for a device.

The Chinese could manufacture a PS2 controller for like $5 if they wanted. Perfect replica of the official Sony one, down to the markings and logos.

Re:Corporate Espionage

[grassy_knoll]

Is corporate espionage actually valuable?

Depends on how you define espionage. There's the obvious, like a compeditor stealing trade secrets, customer lists, et. al. .

If a compeditor knows who your customers are, and how much they're paying, their sales guys can target them with sales pitches designed to undercut your price. Even better if the compeditor had a list of, say, all help desk tickets for one of your products. Then they'd also know just what your customers didn't like about your product, and could target those areas specifically in their sales pitch.

There's also more non-obvious things.

You could have something like breaking into a bank to create false payment records, as a way to "prove" bribery:
http://www.wired.com/news/technology/0,71363-0.htm l?tw=wn_technology_1

One of the targets of the frame-up was presidential hopeful Nicolas Sarkozy, and press reports have linked his rival, Prime Minister Dominique de Villepin, to the smear campaign. French President Jacques Chirac defended de Villepin from the charges during a nationally televised interview last month, and de Villepin has filed libel suits against four journalists.

Last month, prosecutors formally charged Lebanese-born Imad Lahoud for allegedly creating the falsified bank records. Lahoud previously worked for the French secret service and headed a department of network engineers for Airbus parent European Aeronautic Defense and Space, or EADS.

Alternatively, you could use intelligence assets to rig the outcome of competing products in field tests to ensure you get the contract:

http://www.cvni.net/radio/e2k/e2k002/e2k02news.htm l

A £1bn tank bid to supply the Greek government with Challenger 2 tanks has raised suspicions that the French secret services used dirty tricks to scupper the British bid. French and British teams were among four countries in competition for the tender to supply 250 Tanks. The other countries being Germany and America.

During the tests the British Challenger tanks had difficulty with navigation and were unable to work out exactly where they were. The British use the satellite global positioning system, GPS, for navigation, whilst the French had no such problems with their navigation.

The Americans also claimed that their navigation suffered difficulty and it was later alleged that the French were covertly interfering with a GPS signal.

Investigations showed that a signal was transmitted blocking the signal from one satellite. Since the GPS system needs the signal from 3 or more satellites for accuracy the loss of just one signal means errors in navigation in excess of 100 yards.

In 1995 an American Institute think-tank estimated that France was devoting a third of its secret service budget to economic intelligence. This may well be true since agents from the DST, Direction et Surveillance du Territoire, [French Internal Security Service] removed documents from a hotel in Tolouse where British Aerospace executives were staying.

The Greek officials found the whole event to be most amusing and discounted the dirty-tricks in their decision making processes, eventually selecting the German made Leopard 2A5 Tank as their choice.

Re:Corporate Espionage

Sealed bidding on large contracts always seem to go a lot better when you know beforehand how much the competition is bidding.

Re:Corporate Espionage

[kabocox]

Is corporate espionage actually valuable? ... development plans are pretty widely discussed amongst employees. If something were to leak, I'm not sure what the value of it would be. The only real data points that are heavily protected are financial results and projections, and the product release dates that those rely on. But I'm pretty sure those are only protected for Wall Street purposes.

What kind of data do corporate spies hope to obtain? Would that data be actionable -- e.g, could a company come up with a competing product and be first to market if another company's already half way there?

I'd personally think software companies would generally not be directly targetted because there is alot of documentation and if KnockOff Product was released next month that had 95% of the same features and same UI, then they'd get sued by the real company.

Other than the finance side, which would be very valuable in and of itself, I'd think CAD/CAM files would be much more useful and difficult to obtain. At the company my dad works for, there are a handful of engineers with the CAD/CAM files. They don't have internet or any sort of external access. That data is backed up atleast in 3-4 different places daily. It is the life blood of their company and they'd have backups, but loosing any of the data would mean lost man-hours rebuilding the plans. It would only be possible for a data thief to physically steal a backup media from one of the backup locations so that unpatented or in progress patents can be built before they are aware of the theft. In the software world, I'd think that major companies could force a code audit and prove that code was actually stolen and used in another's product. In the physical world of engineering and unpatented/ or patent in progress work, an engineer could gain several leads and if it is discovered claim that they indepedently developed a similiar product. If they were stupid and lazy, and just used the stolen CAD/CAM files then it might be easy to discover. But if they changed all sorts of things and make no references to the stolen data in offical documents then it might be unprovable other than a similiar product.

Re:Corporate Espionage

[enronman]

I work in Oil and Gas, I'm a finance guy who does M&A. We've got a LOT of assets out there. Everything we own falls into the following categories. 1. Assets we are trying to sell 2. Assets, we'll sell for the right price 3. Assets, we are not trying to sell 4. Assets, we will not sell For category 1. there is a directory that has the data on these assets. We've got our "sales strategy" as to if we will use auction, private sale etc. and the price we want to get for these assets and the lowest price we'll take. An example. First, If bidders for those assets had those files they would find them worth a LOT. Knowing our min. price could help them off at prices MILLIONS of dollars lower than what they might otherwise offer. Someone might have been willing to bid $380 million for an asset, however they find out we are willing to take $325 million for it via private sale. The economic gain from that info to the offering party is $55 million dollars. They may be willing to pay, perhaps 100k?, to get that intel. A second example, Perhaps we think the best way to sell an asset is to auction it off. If someone knew this, and the price we were expecting to get for it they might make a private pre auction bid for it at our expected price less the sales fee's.

Re:Suspicious Files

[sam1am]

I was under the impression he used Keynote. (Reference)

Thank goodness..

[the_rajah]

I'm still using Office 97.

Re:Thank goodness..

[Lugae]

Didn't you hear? Microsoft Office has evolved.

Re:Thank goodness..

[pimpimpim]

I agree, the current ones are a bit better than 97, especially powerpoint. The default layouts you can choose seem however still to be designed in the late 80s.

What's more interesting, is that the guy who mode the virus can apparently write office visualbasic code compatible with 3 versions of office! He could earn good money with that!

Re:Thank goodness..

[ArielMT]

Thank goodness I'm still using Harvard Graphics for DOS.

How useful would VMWare be?

[hsmith]

In a situation like this? Assuming the exploit isn't looking to just get the text of the Powerpoint, but somehow index your machine. Dropping powerpoint in a seperate vm, once there is a known exploit like this would be sure to "partition" your HD would it not? while not an optimal solution, it seems to be a possible short term one.

Re:How useful would VMWare be?

[rai4shu2]

If you are exploited on a VM, I doubt it's altogether different from being exploited on a host. The only real positive thing is at least you don't have to worry about the host being exploited. The real question is how much valuable data are you leaving in the VM?

Re:How useful would VMWare be?

[plover]

VMs don't share the "real" hard drive with the host OS. There is just a file on the host that represents their hard drive. If the virus wants to partion it, hey, it's just bits in a file.

Yes, virus and spyware researchers use VMs all the time. They keep a disk image of a known clean machine. When a new suspicious program comes along, they copy their disk image, boot it up, run the virus program, and look for the deltas. It's much easier than keeping a "clean-room" PC around and reghosting the disk every time.

Re:Suspicious Files

[alphasubzero949]

I stand corrected.

Re:Suspicious Files

[gnuman99]

Mr. Bad Example wrote:
>> But what if you receive a Power Point presentation from your
>> manager called "ReadThisOrYourFired.ppt"?
>
>I'd quit. I refuse to work for anyone who can't tell the difference between a possessive pronoun and a contraction.

Thank you Mr. Bad Example!

Re:Suspicious Files

[Opportunist]

You've never worked for a big corporation with managers who think powerpoint is the pinnacle of communication and presentation, all rolled into one.

But you could still find out if it's real or not. If it is not sent with highest priority, it is definitly bogus.

How many of us...

[Rice-Pudding]

... have viewed the PPT presentation of Paul Allen's yacht, circulating a while back. Or other PPT things that get mailed around almost as often as the funny video clips we send each other.

And this is not a virus: I choose to send these to my friends :-(

Re:Suspicious Files

[babbling]

I'd quit because I could probably find a better job that doesn't involve using PowerPoint.

We seem to be working through the MS wheel

[Centurix]

Word, Excel, IE, PowerPoint, OE, Windows itself.

I'm now preparing for the 0-day notepad exploit...

Re:We seem to be working through the MS wheel

[grumpyman]

>>I'm now preparing for the 0-day notepad exploit...

That's ok, as long as there's no 0-day minesweeper or heart exploit.

Re:We seem to be working through the MS wheel

[ozmanjusri]

We seem to be working through the MS wheel

Somebody should hook up a generator to that puppy...

Re:We seem to be working through the MS wheel

[webweave]

I like the wheel analogy. How's this one? You can't afford a good car or you can't find a mechanic who can fix a good car so you go out and buy the same piece of crap that all the other poor stupid people have. Fine, now you're one of a hundred-million but your car is rusting and burning oil and there are still payments to be made. You've invested all this money in keeping it on the road but you know it's not safe but it's all you got. When something breaks you fix it with binder twine and duct tape and when you got a few bucks in your pocket you pay some "professional" to do exactly the same thing. It doesn't make you feel good but it's what everyone else is doing so it must be ok, you think.

The fixes you were promised never arrive or when they do they disable something you had enjoyed, needed or worse make your car to slow to go on the highway. Since you have to hold the doors closed with your arms and you can see the road beneath you from all the holes you don't feel safe on the highway but you must continue on because the fix is just around the corner. The latest recall fix arrives but there's nothing to address the problems your having it's all just bright shiny stickers and racing stripes and chrome stuff that gets glued over the rusty bits. Continue this for years with the only perceivable change being the version numbers.

I would like to thank all the documenters of windows vulnerabilities. They make my job easier when I reformat a former windows computer and install a custom linux/unix/GNU system. Why does everyone need the MS wheel anyway? Let's just keep windows around as a decoy to keep the virus and trojan people busy.

Re:We seem to be working through the MS wheel

There's a pretty well known bug with the way Notepad handles Unicode recognition. For example, try typing "this app can break" into a text document, then open it with Notepad. All you'll get is gibberish. There are a lot of other strings that'll break Notepad, like "Bush hid the facts", or even "nnnn nnn nnn nnnnn". Given the security track record for other Microsoft apps, I'm sure that it's only a matter of time before someone makes an exploit based on this bug.

And the State Dept was called racist over Lenovo

[MikeRT]

Seems they've got reason to worry after all. The "we all do it" argument is bullshit. China's government is notorious for economic espionage and many of its corporations, probably most, are owned by military officers or the military as an organization. The fears about China are grounded in reality.

Enemy?

[MarkByers]

Enemy? Just because China is becoming a powerful nation doesn't mean you have to neutralize them before they overtake you. If America can be a powerful nation without fucking up the rest of the world, I'm sure China can do it too. Probably they'd do it a lot better actually. Stop killing everyone and try to learn how to get on with the people around you, even though they may be different to you.

Re:Enemy?

[poser101]

If America can be a powerful nation without fucking up the rest of the world, I'm sure China can do it too.

What planet is this America on? The one I live in did fuck up the rest of the world to become a powerful nation, and continues to do so in order to retain that power.

Read your history books.

Re:Enemy?

[ArcherB]

What planet is this America on? The one I live in did fuck up the rest of the world to become a powerful nation, and continues to do so in order to retain that power.

Read your history books.

Yeah, I studied history. We sure did fuck those poor civilians in Berlin when we dropped all that food on them during that Berlin Airlift thingie. And stopping the Nazis sure did fuck the world up. Ousting that Milosivich guy because he was raping and killing Muslims... I mean, how is that any of our business? You don't have to look very far beyond all those Jap civilians we put in gas chambers after Japan surrendered. Of course don't even get me started how the US took over all those countries and made them sub-states. The US raping Brazil, Chile and Portugal for all the natural resources they can get their hands on! Yeah, America is an evil empire.

I know it's OT. Just feeding the other OT trolls.

Re:Enemy?

[db32]

Ok...I will bite this once
Enemy...as in because through your close minded hate for America you forget that China's treatment of their people is an order of magnitude worse. Here we worry bout the government trying to make spying legal...there they worry about watching their family murdered in front of them if they even mutter a word against the government spying on them. Lets be realistic please. Unless you are Chinese and part of the in group...you are pretty much china's enemy. Enemy also doesn't mean open warfare either...but again...close minded hate of America about how we kill everyone.

"Probably they'd do it alot better actually" Oh my god...that has got to be one of the funniest things I have heard. PLEASE wake up and pay attention. American prison system, cable tv, gym, library, access to lawyers, minimum standards of living...go look at the chinese prison system...pretty sure you won't be getting cable TV anytime soon. Might wanna crack the history books again on who china has supported throughout various wars. Unless you happen to think N. Korea is run by a mild mannered peace loving kind of stable guy. But hey...you are exactly like Bush right? "You are either with us or against us" You can't be middle of the road anymore and use common sense. So either we hate America and talk trash about how we only do evil, or we talk trash about how we only do good. Its impossible to accept that a country that is run by people who change places every few years will have changing agendas *GASP!*. I for one am rather glad we don't have the stable predictable motives of a dictatorship...(although we are getting dangerously close...no thanks to screaming brats like you making anyone who opposes Bush look like a raving moron)

Re:Enemy?

[poser101]

Actually, I was referring to things like the Phillipine-American war, where U.S. attacks into the countryside often included scorched earth campaigns where entire villages were burned and destroyed, torture (water cure) and the concentration of civilians into "protected zones" (concentration camps). Many American officers and soldiers called this war a "nigger killing business". Or, you know, how the Americans raped and killed the NATIVE Americans who our forefathers stole our land from. Maybe your forgeting that Americans mass-murdered Korean women and kids during the Korean War, operating under the name of the "UN forces". Families living in Iraq are without electricity and water. Prior to us "helping" them, THEY WERE FINE! They had food, electricity, water, now they have nothing! Anyway... America is not a peaceful, all-helping nation. End of story.

Re:Enemy?

[Knuckles]

I'm tempted to add all South American incidents, but I don't have all night. GP should read up on, dunno, Chile, Nicaragua, Cuba, United Fruit Company, ...
Oh, politics on /. (and I always thought _our schools are bad)

Aug. 8th? 2 weeks to patch?

From the time of this announcement, to the time of resolution... 2 weeks is unacceptable.

OB: Where do you want to be infected today?

How, just how, did we get to the point that a slideshow can carry a virus?

Re:OB: Where do you want to be infected today?

[Intron]

It's as silly as an editor containing a psychotherapist!

"Safe to assume"

[kripkenstein]

TFA says:

Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing.

Me, I think it's safe to assume there are 10 undiscovered corporate espionage trojans out there for every one we hear about. Scary.

0 Day?

[db32]

Is this really considered a 0 day anymore? I mean...its a 0 day exploit on day 0. We are kind of past that now aren't we?

Re:0 Day?

It's a 0 day exploit as long as their is no fix. If there is a fix that was released 3 days ago, it's a 3 day exploit. The time period is supposed to indicate how much time people have had to update and patch the broken software.

Re:0 Day?

[LocalH]

That's not the original use of 0-day. It came from the warez scene, and indicated warez that took "0 days" from retail release to get a cracked version out - generally acquired from an inside source and cracked before retail release.

Re:0 Day?

[Inominate]

An amazing rationalization of the twist of the meaning.
0-Day originally meant that it was released "0 days" ago.

Re:Suspicious Files

[JamesP]

I'd probably put this in the "trustworty" bin...

However, if it was spelled properly, then I'd raise an alarm :P

Re:And the State Dept was called racist over Lenov

AMEN

OpenOffice?!

[madcow_bg]

Just astounded what would people do just so that they won't have to work with the Linux/OSS nightmare...

they're everywhere!

[jhackworth]

"Symantec's Huger said the sophisticated nature of the attacks suggest it is the work or well-organized criminals associated with industrial espionage."

Fortunately Symantec is coming up with several ways to protect and save us from this nefarious criminal underground. Sorry Symantec, but my suspicion alert level is glowing bright red.

I don't recall the last time my machine was infected by software that another piece of software could actually do something about it (e.g. virus, trojan, etc). Mostly its just spyware and rootkits that I don't even know are there until my machine starts running really slow. In spite of this, I've been running some sort of AV application on every system I own for the last 5+ years (basically since I plugged into an always on, broadband connection). The other day I began wondering how much power the aggregate compute cycles for my systems has consumed simply loading the AV software and doing whatever scans are necessary. Then I began wondering about this for all machines everywhere. Besides reduced power bills, what benefit could be derived from diverting all those wasted cycles to a task of tangible benefit?

Of course the other side of this argument points to the eradication of polio from a long-term vaccination regimen and resurgence in places where vaccination isn't occurring.

In any case, it tickles some nerve deep in my brain when I realize that the folks that are screaming loudest about computer security are also those who stand to benefit most by hocking their wares.

Re:they're everywhere!

[plover]

Have you ever tried to sell something that was of marginal-to-dubious value to begin with? If you don't have some kind of dramatic scare tactics, you won't sell a thing. And you can't have scare tactics without a few scares.

I've run a hardware firewall ever since I got high speed net access. The only spyware I ever got was from a CD-ROM Borland game in 1998 just as the ideas for spyware were being developed. And I've never gotten a virus at home (laptop users at work are a different nightmare.) "Not being stupid" is all it really takes to avoid the damned things.

This whole "'OMG, virus!!1!' spiel kind of reminds me of an employee at a local auto-body company. We had a very snow-free winter one year (meaning no accidents and slow business) so this jerk took a "beater car" and bounced it off a bunch of parked cars one night. If all else fails, manufacture the need.

Re:Suspicious Files

[ncc74656]

But Al Gore uses PowerPoint. Who wouldn't want to work for him?

Anyone with an IQ above that of a cabbage, perhaps?

Is OOo vulnerable?

[bob291]

Is this trojan a problem for the OOo program Impress?

Re:Is OOo vulnerable?

[Intron]

Of course. Steps to duplicate are:

• Start Impress
• Create new presentation using Wizard
• Select type: from template
• Select background: Dark blue with orange
• Select output medium: screen
• Select slide effect: open backdoor in kernel

Nothing to it.

Re:Suspicious Files

[grasshoppa]

Anyone with an IQ above that of a cabbage, perhaps?

http://en.wikipedia.org/wiki/Al_Gore

Re:Suspicious Files

[Frankie70]

assa

Re:Suspicious Files

One of my customers uses PowerPoint quite frequently. He draws up charts and graphs during meetings and emails the notes to everyone in attendance.

What to do?

Hmmm

[colinrichardday]

During the tests the British Challenger tanks had difficulty with navigation and were unable to work out exactly where they were. The British use the satellite global positioning system, GPS, for navigation, whilst the French had no such problems with their navigation.

The Americans also claimed that their navigation suffered difficulty and it was later alleged that the French were covertly interfering with a GPS signal.

Would you buy a tank whose GPS navigation can be interfered with by the French?

Re:Hmmm

[grassy_knoll]

Would you buy a tank whose GPS navigation can be interfered with by the French?

[humor]
So... are you saying the French were providing a public service by jamming GPS signals?
[/humor]

As point of fact, the Greek government didn't... but they didn't buy the French tank either. They went with the German one, which either doesn't use GPS or ( unlikely ) wasn't affected by the jamming.

Re:Hmmm

[colinrichardday]

In an actual war, one's opponents might try to interfere with GPS navigation, so perhaps one should consider that when buying tanks. As you said, the German (Leopards) weren't affected.

Microsoft's Response times.

[kinglink]

Have you ever actually looked at microsoft's response times. There are many viruses that use the same doors to damage system, and the reason for it?

Slow response times. This is microsoft's way, it can't just be a hot fix, it has to be a hotfix, say three days to write, then testing begins, doesn't fix the problem on one computer, another week of programming, then finally it's ready for more testing. You get the idea.

Re:Microsoft's Response times.

Wait, microsoft actually does work? I thought that everyone just sat around in meetings all day, while occassiaonlly a bad product would mysteriously arive at their door from the devil. Wasn't that the deal?

Gotta wonder

With the continuing risk that Office and Windows represents, what company really, really, really needs to have Windows and Office anymore? The last few exploits are carefully crafted to hide themselves, capture sensitive corporate information and, essentially, ruin specific company targets.

Frankly, any company that really, really, really needs to have Microsoft products is going to be out of business soon anyway!

Re:And the State Dept was called racist over Lenov

[DamnStupidElf]

America's government is notorious for economic espionage and many of its corporations, probably most, are controlled/owned by military officers or the military as an organization. The fears about America are grounded in reality.

Oh, wait, did I copy that wrong? I was just thining about all the silly IP laws the USA tries to export and companies like Lockheed Martin, General Dynamics, Diebold, Blackwater, Haliburton...

In China?

[Tired+and+Emotional]

It sends the stolen information to a computer in China?

Does this mean if you make sure your slides all have the magic word in white on white in them somewhere, they'll get gobbled by the People's Great Firewall and the perps won't get your data?

What about signed attachments?

[dschuetz]

I asked a few folks I work with back when the last (actually, the last before the last, the Word 0-day) exploit came out, whether it was feasible in a corporate environment to configure servers to strip attachments from any email where the mail (and the attachment) are not signed by a recognizable, valid cert.

Obviously, this requires a PKI of some sort, but for those companies which already do, it seems this would be a simple, easy way to virtually eliminate the possibility of outside trojans / viruses / whatever getting loose in the internal environment.

In fact, it's so simple, that I'm sure I'm missing something significant. Anyone care to point out what it is?

Re:And the State Dept was called racist over Lenov

[AtomicBomb]

If I were the China government and I wanted to carry out some industrial espionage, I will choose a server in India, Taiwan, or wherever not within my jurisdiction to relay the traffic. No one will be that stupid to use their own machine for serious operation, esp with this sort of sophisticated zero-date crack.

If you look up 8800.org (the one that the powerpoint crack sends keylog data to), you will know that it hosts free DNS forwarding service (excuse if my terminalogy is wrong). It provides the same sort of service as no-ip.com or dyndns.com. I can imagine the web traffic is forwarded to some cracked home machine with broadband connection. The real recipent behind this can really be anyone.

that and more

[r00t]

The financial stuff is great, even if only used as financial info. There is this thing called the stock market, where advance knowledge can be translated into a SHITLOAD of money...

Then, since this is the Chinese:

Purchase orders for submarine parts may reveal designs.
Ripping off Apple is easier if you know in advance.
Future hacking may be easier if you can swipe some source code.
A list of employees at a defense contractor helps with social engineering.

I think so

[r00t]

I can't get the trojan to run. That seems rather incompatible to me.

I guess I should file a bug report.

Indeed, you have the answer.

[r00t]

For all our new TOP SECRET programs, we must pick suitable codewords.

Transmit by DEMOCRACY channels only!
For FALUNG GONG usage only!
Authorized for TAIWAN program only!
Access restricted to FREE TIBET personnel only!