PowerPoint 0-Day Points to Corporate Espionage

← Back to Stories (view on slashdot.org)

PowerPoint 0-Day Points to Corporate Espionage

Posted by ryuzaki0 on Friday July 21, 2006 @02:58AM from the best-kind-of-warez dept.

Rakesgate writes "A second Trojan used in the latest zero-day attack against Microsoft Office contains characteristics that pinpoint corporate espionage as the main motive, according to virus hunters tracking the threat. This eWeek story walks through the attack, which uses a tainted 18-slide PowerPoint file, a Trojan dropper, 2 Trojans and a server in China that is used to communicate with compromised machines." From the article: "'Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing, especially since there is no patch for this vulnerability,' Huger added. Microsoft plans to issue a patch on August 8 for users of Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally."

31 of 111 comments (clear)

Min score:

Reason:

Sort:

Supsicious Files by neonprimetime · 2006-07-21 03:01 · Score: 4, Funny

In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally

But what if you receive a Power Point presentation from your manager called "ReadThisOrYourFired.ppt"? It looks suspicious, but oh the dilema.
1. Re:Supsicious Files by WhiteWolf666 · 2006-07-21 04:08 · Score: 4, Funny
  
  Simple. You're really not thinking like a PHB. Stop thinking like an engineer, and start thinking like a moron!
  
  You receive said PowerPoint. You immediately set out to install a special PowerPoint Viewing Cart, complete with portable generator, portable PC, portable projector, and portable screenbooth (think 4 Chinese folding wall screens with a roof). Even though you've created a special system to "isolate" your PowerPoints, you make sure it's got full network access via 802.11, with RW support on all shares, globally.
  
  If you can't build this setup by stealing the parts from a coworker's desk or the conference room, order them all. Better yet, setup an auction website where suppliers can bid on the various parts of your setup. You, of course, send money before you receive product; after all, you've gotten the lowest cost option, so you can risk the capital.
  
  Then, watch said PowerPoint on the PowerPoint Viewing Cart. Proceed to tell boss that you thought this high priority PowerPoint was, indeed, from him, and that since it blew away the PowerPoint Viewing Cart, you now need to spend the rest of the week repairing it. If he asks you why you are repairing it, make sure to make it clear that you want him to be able to view the high priority PowerPoint he had just received, "ReadThisNowOrYourStockOptionsWillExpire.ppt" . Explain to him the virtues of private viewing environment, portable generator, and dolby surround sound.
  
  Voila! Much like any MSCE, you've turned a Microsoft Product into a never ending source of contract work, all without quitting your day job.
  
  --
  WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Corporate? Pshaw... by Linkiroth · 2006-07-21 03:02 · Score: 3, Funny

"Symantec's Huger said the sophisticated nature of the attacks suggest it is the work or well-organized criminals associated with industrial espionage." Now, now, Symantec. Everyone who's seen any 007 movie knows. It's not the criminals that are taking down the evil corporation... ...it's the british. ::walks off, whistling James Bond theme::
Re:Suspicious Files by Mr.+Bad+Example · 2006-07-21 03:03 · Score: 5, Funny

> But what if you receive a Power Point presentation from your
> manager called "ReadThisOrYourFired.ppt"?

I'd quit. I refuse to work for anyone who can't tell the difference between a possessive pronoun and a contraction.
August 8? by alphasubzero949 · 2006-07-21 03:05 · Score: 2, Interesting

Who wants to take bets that someone will have a patch out there before MS does, much like with the WMF flaw?

How many more machines have to be compromised before users begin to take matters into their own hands?

The arrogance of MS is astounding. And don't say it's because of testing.
1. Re:August 8? by evil+agent · 2006-07-21 03:16 · Score: 2, Interesting
  
  Testing is a big reason. But the bigger reason is unmaintainable code.
  
  --
  End transmission.
2. Re:August 8? by andrewman327 · 2006-07-21 03:26 · Score: 4, Informative
  
  So do you think that OpenOffice has similar flaws waiting to be exploited? Does that program provide true security or security through obscurity?
  
  --
  Information wants a fueled airplane waiting at the hangar and no one gets hurt.
3. Re:August 8? by Opportunist · 2006-07-21 03:33 · Score: 3, Interesting
  
  The WMF Exploit was not targeted. It was sold as a roll-your-own-spreader kit and a lot of people used it to spray their own malware over the net. It was a threat to the net community at large.
  
  The office exploits (not only this one, but also its predecessors that targeted Excel and Word) are carefully crafted, targeted attacks against very specifically selected companies. It's even for AV companies not an easy task to get a hold of some of these malware products, so it is very, very unlikely that we'll see a sizable spread to the wild any time soon (at least before the next patchday). Of the various Office-Overflow-Exploits, I only know of a Word variant that had any remotely relevant in the wild spread.
  
  Doesn't warrant writing your own patch code. Especially with StarOffice being a very handy replacement to the problem.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:August 8? by evil_Tak · 2006-07-21 03:41 · Score: 4, Informative
  
  OpenOffice's code is a nightmare. That's why they still haven't released an x86-64 port.
  
  Probably more important is not to run it on top of an OS that blindly gives it access to kernel-level network service code.
Sweet Excuse! by bigtimepie · 2006-07-21 03:06 · Score: 4, Funny

lookout for suspicious attachments, even those that appear to come from colleagues internally
Sorry, Boss, I never got those reports... the IT guy told me I shouldn't open attachments until the new MS patch is out!
Re:Suspicious Files by gEvil+(beta) · 2006-07-21 03:09 · Score: 4, Funny

I'd quit because I refuse to work for anyone who uses PowerPoint as a primary form of communication.

--
This guy's the limit!
MS, grrr by joe+155 · 2006-07-21 03:11 · Score: 4, Interesting

I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th. Why not let those people who are willing to risk the very small possibility of a problem caused by the patch but don't want to take the serious risk of their system getting cained by some black hat in China get the patch when they want it?... especially home users for whom a patch would pose very little problem even if it was badly written

--
*''I can't believe it's not a hyperlink.''
1. Re:MS, grrr by Anonymous Coward · 2006-07-21 03:53 · Score: 2, Funny
  
  I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th.
  
  If you're waiting until the 8th Tuesday of the month for your patches, you'll be waiting a long time.
Chinese Firewalls by ArcherB · 2006-07-21 03:11 · Score: 2, Interesting

Why can't the Chinese set up thier firewalls block this kind sh*t?

--
There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
1. Re:Chinese Firewalls by MarkByers · 2006-07-21 03:22 · Score: 4, Funny
  
  Why can't the Chinese set up thier firewalls block this kind sh*t?
  
  That's a ridiculous suggestion. It's not the job of the Chinese government to monitor all traffic going in and out of China.
  
  Oh wait..
  
  --
  I'll probably be modded down for this...
2. Re:Chinese Firewalls by vishbar · 2006-07-21 03:32 · Score: 2, Insightful
  
  [Puts on tin foil hat]
  
  Sometimes I'm suspicious of the Chinese government..well, actually, ALL the time I'm suspicious of the Chinese government. They call it corporate espionage...what if it's just...well...regular espionage by a curious Communist nation?
  
  Of course, this is complete tin foil hat speculation with no good evidence to back it up, but the suspicion still rests in the back of my mind.
  
  --
  Ride the skies
3. Re:Chinese Firewalls by ArcherB · 2006-07-21 03:39 · Score: 2, Insightful
  
  In a communist country, all business is owned and controlled by the government. So corporate espianage is government spying. (insert mother russia joke here).
  
  So, put your tin-foil hat back on. It is warranted.
  
  --
  There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
Click ME! by digitaldc · 2006-07-21 03:14 · Score: 2, Funny
- Subject: Click on this attachment, and all your wildest dreams will come true.
Well, it worked for Napoleon Dynamite....."CLICK"

----->BSOD: All Your Assets Are Belong To Us!
--
He who knows best knows how little he knows. - Thomas Jefferson
gratutious by LeonardsLiver · 2006-07-21 03:17 · Score: 2, Funny

"Sombody needs to tell the Chinese to stop doing this shit..."
Corporate Espionage by panaceaa · 2006-07-21 03:19 · Score: 4, Insightful

Is corporate espionage actually valuable? I'm currently working at Adobe, and development plans are pretty widely discussed amongst employees. If something were to leak, I'm not sure what the value of it would be. The only real data points that are heavily protected are financial results and projections, and the product release dates that those rely on. But I'm pretty sure those are only protected for Wall Street purposes.

What kind of data do corporate spies hope to obtain? Would that data be actionable -- e.g, could a company come up with a competing product and be first to market if another company's already half way there?

--
my blog
1. Re:Corporate Espionage by toybuilder · 2006-07-21 03:24 · Score: 3, Informative
  
  Corporate espionage can include things like customer and vendor lists, and product pricing details. And, many companies are quite secretive about their leading edge R&D.
2. Re:Corporate Espionage by ikandi · 2006-07-21 03:25 · Score: 2, Insightful
  
  Not for Adobe competitors - there aren't any.
3. Re:Corporate Espionage by Angostura · 2006-07-21 03:31 · Score: 3, Insightful
  
  So you knew about the Macromedia buyout how many weeks in advance?
4. Re:Corporate Espionage by Renraku · 2006-07-21 05:32 · Score: 3, Insightful
  
  You know that the chinese can make 90% accurate ripoffs of expensive-but-cheap items like Oakleys, rolexes, etc..you know how? Espionage. Most of the time those near-perfecto replicas come from a Chinese factory that got ahold of the plans and/or schematics for a device.
  
  The Chinese could manufacture a PS2 controller for like $5 if they wanted. Perfect replica of the official Sony one, down to the markings and logos.
  
  --
  Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Re:Suspicious Files by sam1am · 2006-07-21 03:20 · Score: 2, Interesting

I was under the impression he used Keynote. (Reference)
Thank goodness.. by the_rajah · 2006-07-21 03:20 · Score: 2, Funny

I'm still using Office 97.

--

"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Re:Suspicious Files by Opportunist · 2006-07-21 03:30 · Score: 2, Funny

You've never worked for a big corporation with managers who think powerpoint is the pinnacle of communication and presentation, all rolled into one.

But you could still find out if it's real or not. If it is not sent with highest priority, it is definitly bogus.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
We seem to be working through the MS wheel by Centurix · 2006-07-21 03:37 · Score: 2, Insightful

Word, Excel, IE, PowerPoint, OE, Windows itself.

I'm now preparing for the 0-day notepad exploit...

--
Task Mangler
"Safe to assume" by kripkenstein · 2006-07-21 04:06 · Score: 2, Interesting

TFA says:

Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing.

Me, I think it's safe to assume there are 10 undiscovered corporate espionage trojans out there for every one we hear about. Scary.
Re:0 Day? by LocalH · 2006-07-21 05:07 · Score: 2, Interesting

That's not the original use of 0-day. It came from the warez scene, and indicated warez that took "0 days" from retail release to get a cracked version out - generally acquired from an inside source and cracked before retail release.

--
FC Closer
Re:Is OOo vulnerable? by Intron · 2006-07-21 05:44 · Score: 3, Funny
Of course. Steps to duplicate are:
- Start Impress
- Create new presentation using Wizard
- Select type: from template
- Select background: Dark blue with orange
- Select output medium: screen
- Select slide effect: open backdoor in kernel
Nothing to it.
--
Intron: the portion of DNA which expresses nothing useful.