PowerPoint 0-Day Points to Corporate Espionage

Rakesgate writes "A second Trojan used in the latest zero-day attack against Microsoft Office contains characteristics that pinpoint corporate espionage as the main motive, according to virus hunters tracking the threat. This eWeek story walks through the attack, which uses a tainted 18-slide PowerPoint file, a Trojan dropper, 2 Trojans and a server in China that is used to communicate with compromised machines." From the article: "'Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing, especially since there is no patch for this vulnerability,' Huger added. Microsoft plans to issue a patch on August 8 for users of Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally."

Supsicious Files

[neonprimetime]

In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally

But what if you receive a Power Point presentation from your manager called "ReadThisOrYourFired.ppt"? It looks suspicious, but oh the dilema.

Re:Supsicious Files

[WhiteWolf666]

Simple. You're really not thinking like a PHB. Stop thinking like an engineer, and start thinking like a moron!

You receive said PowerPoint. You immediately set out to install a special PowerPoint Viewing Cart, complete with portable generator, portable PC, portable projector, and portable screenbooth (think 4 Chinese folding wall screens with a roof). Even though you've created a special system to "isolate" your PowerPoints, you make sure it's got full network access via 802.11, with RW support on all shares, globally.

If you can't build this setup by stealing the parts from a coworker's desk or the conference room, order them all. Better yet, setup an auction website where suppliers can bid on the various parts of your setup. You, of course, send money before you receive product; after all, you've gotten the lowest cost option, so you can risk the capital.

Then, watch said PowerPoint on the PowerPoint Viewing Cart. Proceed to tell boss that you thought this high priority PowerPoint was, indeed, from him, and that since it blew away the PowerPoint Viewing Cart, you now need to spend the rest of the week repairing it. If he asks you why you are repairing it, make sure to make it clear that you want him to be able to view the high priority PowerPoint he had just received, "ReadThisNowOrYourStockOptionsWillExpire.ppt" . Explain to him the virtues of private viewing environment, portable generator, and dolby surround sound.

Voila! Much like any MSCE, you've turned a Microsoft Product into a never ending source of contract work, all without quitting your day job.

Re:Suspicious Files

[Mr.+Bad+Example]

> But what if you receive a Power Point presentation from your
> manager called "ReadThisOrYourFired.ppt"?

I'd quit. I refuse to work for anyone who can't tell the difference between a possessive pronoun and a contraction.

Sweet Excuse!

[bigtimepie]

lookout for suspicious attachments, even those that appear to come from colleagues internally

Sorry, Boss, I never got those reports... the IT guy told me I shouldn't open attachments until the new MS patch is out!

Re:Suspicious Files

[gEvil+(beta)]

I'd quit because I refuse to work for anyone who uses PowerPoint as a primary form of communication.

MS, grrr

[joe+155]

I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th. Why not let those people who are willing to risk the very small possibility of a problem caused by the patch but don't want to take the serious risk of their system getting cained by some black hat in China get the patch when they want it?... especially home users for whom a patch would pose very little problem even if it was badly written

Corporate Espionage

[panaceaa]

Is corporate espionage actually valuable? I'm currently working at Adobe, and development plans are pretty widely discussed amongst employees. If something were to leak, I'm not sure what the value of it would be. The only real data points that are heavily protected are financial results and projections, and the product release dates that those rely on. But I'm pretty sure those are only protected for Wall Street purposes.

What kind of data do corporate spies hope to obtain? Would that data be actionable -- e.g, could a company come up with a competing product and be first to market if another company's already half way there?

Re:Chinese Firewalls

[MarkByers]

Why can't the Chinese set up thier firewalls block this kind sh*t?

That's a ridiculous suggestion. It's not the job of the Chinese government to monitor all traffic going in and out of China.

Oh wait..

Re:August 8?

[andrewman327]

So do you think that OpenOffice has similar flaws waiting to be exploited? Does that program provide true security or security through obscurity?

Re:August 8?

[evil_Tak]

OpenOffice's code is a nightmare. That's why they still haven't released an x86-64 port.

Probably more important is not to run it on top of an OS that blindly gives it access to kernel-level network service code.