PowerPoint 0-Day Points to Corporate Espionage

Rakesgate writes "A second Trojan used in the latest zero-day attack against Microsoft Office contains characteristics that pinpoint corporate espionage as the main motive, according to virus hunters tracking the threat. This eWeek story walks through the attack, which uses a tainted 18-slide PowerPoint file, a Trojan dropper, 2 Trojans and a server in China that is used to communicate with compromised machines." From the article: "'Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing, especially since there is no patch for this vulnerability,' Huger added. Microsoft plans to issue a patch on August 8 for users of Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally."

August 8?

[alphasubzero949]

Who wants to take bets that someone will have a patch out there before MS does, much like with the WMF flaw?

How many more machines have to be compromised before users begin to take matters into their own hands?

The arrogance of MS is astounding. And don't say it's because of testing.

Re:August 8?

[evil+agent]

Testing is a big reason. But the bigger reason is unmaintainable code.

Re:August 8?

[Opportunist]

The WMF Exploit was not targeted. It was sold as a roll-your-own-spreader kit and a lot of people used it to spray their own malware over the net. It was a threat to the net community at large.

The office exploits (not only this one, but also its predecessors that targeted Excel and Word) are carefully crafted, targeted attacks against very specifically selected companies. It's even for AV companies not an easy task to get a hold of some of these malware products, so it is very, very unlikely that we'll see a sizable spread to the wild any time soon (at least before the next patchday). Of the various Office-Overflow-Exploits, I only know of a Word variant that had any remotely relevant in the wild spread.

Doesn't warrant writing your own patch code. Especially with StarOffice being a very handy replacement to the problem.

MS, grrr

[joe+155]

I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th. Why not let those people who are willing to risk the very small possibility of a problem caused by the patch but don't want to take the serious risk of their system getting cained by some black hat in China get the patch when they want it?... especially home users for whom a patch would pose very little problem even if it was badly written

Chinese Firewalls

[ArcherB]

Why can't the Chinese set up thier firewalls block this kind sh*t?

Re:Suspicious Files

[sam1am]

I was under the impression he used Keynote. (Reference)

"Safe to assume"

[kripkenstein]

TFA says:

Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing.

Me, I think it's safe to assume there are 10 undiscovered corporate espionage trojans out there for every one we hear about. Scary.

Re:0 Day?

[LocalH]

That's not the original use of 0-day. It came from the warez scene, and indicated warez that took "0 days" from retail release to get a cracked version out - generally acquired from an inside source and cracked before retail release.