PowerPoint 0-Day Points to Corporate Espionage

Rakesgate writes "A second Trojan used in the latest zero-day attack against Microsoft Office contains characteristics that pinpoint corporate espionage as the main motive, according to virus hunters tracking the threat. This eWeek story walks through the attack, which uses a tainted 18-slide PowerPoint file, a Trojan dropper, 2 Trojans and a server in China that is used to communicate with compromised machines." From the article: "'Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing, especially since there is no patch for this vulnerability,' Huger added. Microsoft plans to issue a patch on August 8 for users of Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally."

Supsicious Files

[neonprimetime]

In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally

But what if you receive a Power Point presentation from your manager called "ReadThisOrYourFired.ppt"? It looks suspicious, but oh the dilema.

Re:Supsicious Files

[WhiteWolf666]

Simple. You're really not thinking like a PHB. Stop thinking like an engineer, and start thinking like a moron!

You receive said PowerPoint. You immediately set out to install a special PowerPoint Viewing Cart, complete with portable generator, portable PC, portable projector, and portable screenbooth (think 4 Chinese folding wall screens with a roof). Even though you've created a special system to "isolate" your PowerPoints, you make sure it's got full network access via 802.11, with RW support on all shares, globally.

If you can't build this setup by stealing the parts from a coworker's desk or the conference room, order them all. Better yet, setup an auction website where suppliers can bid on the various parts of your setup. You, of course, send money before you receive product; after all, you've gotten the lowest cost option, so you can risk the capital.

Then, watch said PowerPoint on the PowerPoint Viewing Cart. Proceed to tell boss that you thought this high priority PowerPoint was, indeed, from him, and that since it blew away the PowerPoint Viewing Cart, you now need to spend the rest of the week repairing it. If he asks you why you are repairing it, make sure to make it clear that you want him to be able to view the high priority PowerPoint he had just received, "ReadThisNowOrYourStockOptionsWillExpire.ppt" . Explain to him the virtues of private viewing environment, portable generator, and dolby surround sound.

Voila! Much like any MSCE, you've turned a Microsoft Product into a never ending source of contract work, all without quitting your day job.

Corporate? Pshaw...

[Linkiroth]

"Symantec's Huger said the sophisticated nature of the attacks suggest it is the work or well-organized criminals associated with industrial espionage." Now, now, Symantec. Everyone who's seen any 007 movie knows. It's not the criminals that are taking down the evil corporation... ...it's the british. ::walks off, whistling James Bond theme::

Re:Suspicious Files

[Mr.+Bad+Example]

> But what if you receive a Power Point presentation from your
> manager called "ReadThisOrYourFired.ppt"?

I'd quit. I refuse to work for anyone who can't tell the difference between a possessive pronoun and a contraction.

Sweet Excuse!

[bigtimepie]

lookout for suspicious attachments, even those that appear to come from colleagues internally

Sorry, Boss, I never got those reports... the IT guy told me I shouldn't open attachments until the new MS patch is out!

Re:Suspicious Files

[gEvil+(beta)]

I'd quit because I refuse to work for anyone who uses PowerPoint as a primary form of communication.

MS, grrr

[joe+155]

I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th. Why not let those people who are willing to risk the very small possibility of a problem caused by the patch but don't want to take the serious risk of their system getting cained by some black hat in China get the patch when they want it?... especially home users for whom a patch would pose very little problem even if it was badly written

Corporate Espionage

[panaceaa]

Is corporate espionage actually valuable? I'm currently working at Adobe, and development plans are pretty widely discussed amongst employees. If something were to leak, I'm not sure what the value of it would be. The only real data points that are heavily protected are financial results and projections, and the product release dates that those rely on. But I'm pretty sure those are only protected for Wall Street purposes.

What kind of data do corporate spies hope to obtain? Would that data be actionable -- e.g, could a company come up with a competing product and be first to market if another company's already half way there?

Re:Corporate Espionage

[toybuilder]

Corporate espionage can include things like customer and vendor lists, and product pricing details. And, many companies are quite secretive about their leading edge R&D.

Re:Corporate Espionage

[Angostura]

So you knew about the Macromedia buyout how many weeks in advance?

Re:Corporate Espionage

[Renraku]

You know that the chinese can make 90% accurate ripoffs of expensive-but-cheap items like Oakleys, rolexes, etc..you know how? Espionage. Most of the time those near-perfecto replicas come from a Chinese factory that got ahold of the plans and/or schematics for a device.

The Chinese could manufacture a PS2 controller for like $5 if they wanted. Perfect replica of the official Sony one, down to the markings and logos.

Re:Chinese Firewalls

[MarkByers]

Why can't the Chinese set up thier firewalls block this kind sh*t?

That's a ridiculous suggestion. It's not the job of the Chinese government to monitor all traffic going in and out of China.

Oh wait..

Re:August 8?

[andrewman327]

So do you think that OpenOffice has similar flaws waiting to be exploited? Does that program provide true security or security through obscurity?

Re:August 8?

[Opportunist]

The WMF Exploit was not targeted. It was sold as a roll-your-own-spreader kit and a lot of people used it to spray their own malware over the net. It was a threat to the net community at large.

The office exploits (not only this one, but also its predecessors that targeted Excel and Word) are carefully crafted, targeted attacks against very specifically selected companies. It's even for AV companies not an easy task to get a hold of some of these malware products, so it is very, very unlikely that we'll see a sizable spread to the wild any time soon (at least before the next patchday). Of the various Office-Overflow-Exploits, I only know of a Word variant that had any remotely relevant in the wild spread.

Doesn't warrant writing your own patch code. Especially with StarOffice being a very handy replacement to the problem.

Re:August 8?

[evil_Tak]

OpenOffice's code is a nightmare. That's why they still haven't released an x86-64 port.

Probably more important is not to run it on top of an OS that blindly gives it access to kernel-level network service code.

Re:Is OOo vulnerable?

[Intron]

Of course. Steps to duplicate are:

• Start Impress
• Create new presentation using Wizard
• Select type: from template
• Select background: Dark blue with orange
• Select output medium: screen
• Select slide effect: open backdoor in kernel

Nothing to it.