Slashdot Mirror
New Malware Downloader Can Infect PCs Without A Mouse Click (engadget.com)
An anonymous reader quotes Engadget:
You think you're safe from malware since you never click suspicious-looking links, then somebody finds a way to infect your PC anyway. Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer even if you don't click anything. All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file. According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation. The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script.
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
So, I receive a suspicious email, which I need to click on to open. That email contains a PowerPoint attachment, which I need to click on to open. Once done, I can be infected with a mouse-over rather than a click.
Zero-click malware. Meh.
but you have to click on that PowerPoint file.
The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script.
Sooo...the file opens itself without clicking, too? Or how exactly does that work?
Ezekiel 23:20
But you first have to download and run the infected ppt file...
.... don't use Microsoft crap... ever. Really. And if you have to at work, so be it, but don't use it on your home devices.
This is an example of the many "user friendly" features put into software that end up being an easy vector for malice.
Who would have guessed? PowerPoint files don't open without clicking.
Opening suspicious files is still dangerous.
Who woulda thought?
As others have pointed out, this "no click" malware requires you to download and open a malicious powerpoint file, and then hover over the link contained in the file before it can infect you.
If anything, this seems far LESS of a risk than many other attack vectors that also require opening malicious file attachments in email. (usually opening the installer itself instead of a powerpoint file)
That said, WTF powerpoint? who makes a mouseover capable of downloading and installing something? c'mon guys, how stupid do you have to be to allow this sort of behaviour in your file format?
Friends don't let friends install Microsoft Office.
Seriously - once you've got someone to open anything in MS Office, the scripting allowed in those formats means that few vulnerabilities are a very large surprise. That, and if you've ever had to work for a client that demands a large degree of Office interop or automation, you become acutely aware of how messy those formats have become over the years.
Don't get me wrong, in 'friendly' settings, it's got a nice set of features, and there's a reason that many folks allow their careers to be tied into it - but it's not a tool you want anything internet-related to connect to in any way, if you can help it. You're potentially handing over the keys to your computer when you open any of those formats from a potentially unfriendly source.
At least lock it behind a virtual system if you're going to open anything from the random internet.
Ryan Fenton
Meanwhile, the two biggest problems are ignored.
Problem 1 - User stupidity. You get an e-mail with a "finance-related" subject, such as 'Invoice' or 'Order #'. But there's a Powerpoint file attached. Since when are legitimate invoices sent as Powerpoint files?
Problem 2 - Microsoft stupidity. The ability of Powerpoint to run an external executable file (in this case powershell) is a HUGE design flaw that has become a major source of malware distribution.
Back in the day (yesterday?) just opening a word or excel document could infect you.. This "novel" approach is really taking a step backwards for malware.
They've had to be under the influence of something pretty mind altering, Its obvious, just take a look at the abortion known as Outlook.
So, I receive a suspicious email, which I need to click on to open.
And before that, you need to click on your browser or e-mail client.
And before that, you need to click to log into the computer.
And before that, you need to push the physical power button.
Zero-click malware. Meh.
Except that random joe 6 pack user...
...does click on any e-mail, because that's what they are used to.
...also recognizes PowerPoint file as one of the few "safe" attachment that they can open.
In other words: all the clicks that a normal user will accomplish in this infection are normal regular action that they do on an everyday basis. The users would be click all things you mention anyway.
The thing that actually starts the infection is the "zero-click" part. The unusual action that would be happening on any other day is triggered by a mouse-over instead of a click. That's the peculiarity.
You can train (more or less) the users "Do not click on weird documents/attachments"
It's more difficult in this case because opening a power-point is something that they are expected to do as part of their normal work.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You do us a disservice when telling us about malware without mentioning the affected OS. I am assuming by your use of the word PowerPoint that this only affects Windows.
Seriously, you have to open the file AND hover over the link? Isn't this a step backward from the previous method of infection which is simply to open the file?
Good point. This isn't nearly as bad as the old Outlook exploit where you didn't even have to open the email for Microsoft to decide to run code in it. We kept getting hit with that since it happened July 4th week, and a lot of people were out of the office with their laptops. We finally ended-up just blocking access from Outlook and requiring people to use OWA (web page).
I don't have a mouse I have a track-pad on one machine and one with a clitoris stick.
1... 2... 3. It takes three clicks to get to the center of a PowerPoint.
The week that happened was hell for us. We shutdown Exchange then for weeks afterwards we had infections still sporadically happening as people opened Outlook on machines they didn't use often. We lost about a 1/4 of our customers because email was down and our phone lines slammed.
It's a good day to own a Mac!
Smells like Windoze crap to me. Linux and BSD are the fixes for this.
So, compared to the Word-Macro trojans, where it's enough to just open a file, you now have to hover the mouse over a link after opening it for infections to happen?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Even after you open the Powerpoint and hover over the link, you will still be prompted with a scary prompt to Allow the WSF or JS(E) or VB(E) or ..., so you still have to click at least once.
PC's, just windows ones. Yawn, who cares.
"Problem 1 - User stupidity" And you have just provided a real world example of Problem #1 with your assertion in Problem #2.
Being able to execute power shell scripts from within Powerpoint provides functionality that a lot of people use for a lot of different reasons. That functionality is not a design defect. If it is a design defect than every single application object capable of invoking external scripts and executables are also design defects.
And I am continually amazed with statements such as "Microsoft stupidity". If MS is as stupid and as bad as the OS and App evangelicals claim how do you explain their dominance, success, and profitability? If their product line has been so obviously bad how did they achieve their success? Remember this is a corporation that was started relatively recently to supplant corporations such as IBM, Sun, and Xerox? And all of MS's earlier competition in the application space gladly sold their technologies for the obscene amounts of money MS offered. MS didn't steal technology from it's competitors they purchased the technology and absorbed any useful tidbits of the purchased software and left the rest to die. WordPerfect, Lotus 1-2-3, DBase, and Borland's various toolsets and products aimed at developers. These products were dominate over the MS offerings at the time. Netscape had a substantial lead in the browser market and they turned their product into a big steaming pile of shit coupled with atrocious business decisions. (disclaimer) I have not personally used any MS products. However, in the past 10 years but I have completed many large system integration projects that required interfacing all the different technologies running across the enterprise. All the different technologies are just tools that can be used to deliver functionality. Nothing more. The only criteria for selecting a particular technology is picking the one that best suits your needs.
Interesting that Microsoft hasn't fixed this problem... but then, it's Microsoft.
Maybe they thought that the malware people weren't smart enough to use PowerPoint.
(I assume that this doesn't work in LibreOffice or OpenOffice or on OSX or Linux... just the lucky stupid Windows users.)
I don't read your sig. Why are you reading mine?
If you're using an Office product older than Office 2010.
Since then you need to click "Enable" or "Enable All (not recommended)" to on the security prompt to allow the script to run.
So yes, no clicks if you're using Office 2007 or earlier.
It is a findamental design flaw and vulnerability, in my opinion. Code should not be embedded in data, especially in email messages. Given the existence of the flaw, there's no reason not to warn by default. it represents extreme neglegence on the part of MS and other vendors.
But it is a fundamentally stupid idea. There is no need for it. So what if some users want it, let them use a plug in or other tool if they insist on automatically executing code received over the network.
Problem number 1:: There is a director at the company I work at and she insists on using Powerpoint to write docuemts and memos to email to people.
The cow has been informed several times "Do not use Powerpoint for any form of communications but she still does it as she insists it's fine." Stupid cow thinks it's no problem but she does not understand why she gets sdo many emails back from people saying they can't read the attachment"
" All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file." But where did the Powerpoint come from? Oh right, someone downloaded the PP file from a sketchy link...
And I am continually amazed with statements such as "Microsoft stupidity". If MS is as stupid and as bad as the OS and App evangelicals claim how do you explain their dominance, success, and profitability? If their product line has been so obviously bad how did they achieve their success?
You only need to look at some of the anti-monopolistic practices MS has been convicted of to answer your questions. For a couple of others, like Netscape, yeah, they pretty much screwed themselves.
The cesspool just got a check and balance.
In the next update you no longer have to click the e-mail, the script will be executed immediately when you connect to the e-mail server.
"How many clicks does it take for those of use who do not own or use PowerPoint"
Exactly that.
"Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer"
Does it installs into my computer or into my *windows* system?
(once again)
Meanwhile, the two biggest problems are ignored.
Problem 1 - User stupidity. You get an e-mail with a "finance-related" subject, such as 'Invoice' or 'Order #'. But there's a Powerpoint file attached. Since when are legitimate invoices sent as Powerpoint files?
Problem 2 - Microsoft stupidity. The ability of Powerpoint to run an external executable file (in this case powershell) is a HUGE design flaw that has become a major source of malware distribution.
I'd say the biggest problem by far is the idiocy of Microsft wanting Office to be an operating system onto itself. 99,99% of the problems stem from this retarded policy. User idiocy comes way way down the list man. Lets put the blame right where it belongs.
And it belongs to the fucktards at Microsoft.
What Microsoft's PAST leadership did should not and does not reflect on their current leadership. Try a new one. A company isn't a matured adult, it can change and does change with the people working there.
How many clicks does it take for us who don't yes or own PowerPoint, don't click on spam, and won't open powerpoint attachments even if it came out of the blue from friends? (Simply because we know our friends don't use powerpoint either, and we'd have no way to view the file even if we were to try to open it.)
End of the day: Microsoft has shitty security in their file formats and programs still.
1... 2... 3. It takes three clicks to get to the center of a PowerPoint.
Well played, wise old owl!
Your comment demonstrates your complete lack of understanding regarding what it takes and what occurred to achieve market dominance not to mention what constitutes sound software architecture.
-rd
You're forgetting a few clicks. Once you open the document, you need to click the Protected Mode warning banner (which it specifically warns you NOT to do unless you are certain of the file's origin) then when the malware tries to execute, you need to click to enable the unsigned macro which it again cautions you with a big red warning to NOT click enable.
hooray for m$ windoze...
Microsoft Office is trying to be emacs now?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
The VBScript portion NEEDS to be chosen to install, or no scripting s available.
They forgot to mention that.
You would assume incorrectly. There ARE security vulns, and they were discovered by only a small handful (comparatively to Office) of users using Libreoffice. If you don't patch, you're vulnerable.
https://www.libreoffice.org/about-us/security/advisories/
Get it through your heads - there's ALWAYS a security vulnerability. No OS is safe; it just requires one enterprising individual to find the problem.
PowerPoint is still a thing? Well than you can't be helped anyway.
There are two rules for success:
1. Never tell everything you know.
problem solved
*That functionality is not a design defect. If it is a design defect than every single application object capable of invoking external scripts and executables are also design defects.*
the design defect is that it's not running them in a sandbox. it very well might be running them in a sandbox and the script uses a defect in the system to break out(most likely). possibly that part links to the link preview functionality since you need the action to sprout out from a mouse hover(if it didnt need that they would have done it that way)
BESIDES.. NO APPLICATION IS SUPPOSED TO BE DOWNLOADABLE FROM THE INTERNET AND EXECUTED WITHOUT ASKING THE USER. this is a clear defect in the product, since this is against ms policy of how windows should run - you can't INTENTIONALLY download a program without it nagging about if you really want to run it or not.
futrhermore it is a design defect that breaks ppt functionality if you're supposed to be running those ps scripts to display content inside the ppt, since they are not available on all platforms that have ms published ppt viewers.
I seriously doubt that in this case executing the script with the root rights is the intended effect.
anyways, I know you're just trolling. because surely you would have personally used _some_ ms product and why the fuck wouldn't you if they were successful because they're good.
world was created 5 seconds before this post as it is.
You only need to look at some of the anti-monopolistic practices MS has been convicted of to answer your questions.
Like having a proprietary web browser included in their proprietary o/s?
I wonder if any other company does that.
lucm, indeed.
No. Like having a proprietary web browser which is embedded deeply into the OS. Teach me how to uninstall IE on modern Win OS, it is impossible because some functionality is required by the OS itself.
And I am continually amazed with statements such as "Microsoft stupidity". If MS is as stupid and as bad as the OS and App evangelicals claim how do you explain their dominance, success, and profitability?
Why does he need to explain it? Just look at the market data, their success and profitability is demonstrated.
Just as this article demonstrates their stupidity.
That functionality is not a design defect.
Then Microsoft executives need to be in prison for willfully infecting computers with malware.
If it is a design defect than every single application object capable of invoking external scripts and executables are also design defects./quote>
Yes. Every single person who cares about security would agree that being able to run general purpose scripts is a design defect.
The only acceptable scripting abilities in an application is one that is limited to APIs that operate on the document itself, that that clearly does not include powershell.
Most MS Office exploits I remember would run as soon as you opened the file. It's nice to see that Microsoft have managed to get their security to the point where it is at least necessary to interact with the file once opened to trigger the exploit...
Did you factor in double clicks?
"Installs cr@p to your computer"? What if you don't run as Administrator? And even if you do, how come UAC doesn't save you? The cr@p should only able to infect your user account, not the entire computer. I ask here because the article doesn't explain these details.
does it work also with powerpoint viewer on wine ?
PowerPoint is available on Macs and mobile devices. PowerShell is not. That's the Power* that indicates Windows. Though not really because it's also available on Macs and Linux. I"ve never seen anyone with PowerShell on their Mac though.
It's a powershell macro that does the dirty work. Is it subject to the computer's powershell execution policy? I really wish they would have mentioned that somewhere.
If MS is as stupid and as bad as the OS and App evangelicals claim how do you explain their dominance, success, and profitability?
BING! Found the Free Market apologist!
A LOT of horrible things are very successful. WARS have been fought because of very successful horrors.
Markets are not your kind, caring friends, they're mindless conveyors of products. Markets bring us abominable fast-foods, shoddy and dangerous appliances, and harmful governments. All it takes is someone to sell and someone to buy, and often neither side gives a rat's ass about the quality or safety of what is being sold.
Clickbait article does mention that "newer" office versions may offer yet another barrier to infection. However, it conveniently omits to mention that the feature which prevents the script from running even if you view the file in Powerpoint is called Protected View, and has been available and enabled by default since Office 2010 !!!
When downloading files through a browser or receiving it through an email client, the file is "tainted" with a zone identifier that indicates that the file has been received from the Internet.
When an office app opens a tainted file, it drops to run in a process with a restricted token in "low integrity" mode. I.e. the process itself is prevented from writing anywhere on the system (except some cache locations). Yes, it's running in a sandbox. Note that the restricted token is created *before* the process starts - it's not like a *nix SUID root process that must drop itself. If the user choses to "elevate", powerpoint restarts in a new process with the current user token instead of the restricted token.
So, if you have Office 2010 or later you should be protected against this.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Monday June 12, 2017
I now no longer reply to AC posts. 2017/06/04
> Replies to AC post.
CLI paste? paste.pr0.tips!
I can make exceptions to my own rules... Also, you seem to be following me around lately, do you like me or something? Sorry, not interested.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So first you have to receive a suspicious email, then open a cryptic powerpoint claiming to be an invoice/order and then you have to hover over a "loading" notation? Seems like one of the more obvious examples of "this has to be malware" that I've ever seen, right up there with "download google secured document" pdfs. Everyone who has any experience with computers should know not to do at least one of the things required for this thing to infect your computer.
I can make exceptions to my own rules
Then it ain't rules.
you seem to be following me around
You wish. Are you lonely or something?
CLI paste? paste.pr0.tips!
Rules, guidelines, whatever... why do you even care? Nothing better to do?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
And I am continually amazed with statements such as "Microsoft stupidity". If MS is as stupid and as bad as the OS and App evangelicals claim how do you explain their dominance, success, and profitability? If their product line has been so obviously bad how did they achieve their success?
Well you need to look no further than this "feature". While the PowerPoint format (and Doc, and so on) can be understood by programs on other platforms (Keynote on Mac, LibreOffice on Linux, etc), tying macros to PowerShell which only exists on Windows makes sure that in the end, you will still need a Windows PC to open those documents properly.
A recent case relayed malware using your contact list and the Subject "sad news". Who would not be tempted to read that piece of mail? More obvious attempts like a free Amazon coupon from a non-Amazon return address address are easy to ignore.
The ability of Powerpoint to run an external executable file (in this case powershell) is a HUGE design flaw that has become a major source of malware distribution.
Sounds like how the entire web works - dozens of scripts that randomly execute when all you want to do is read some text. Given the constant stream of bugs in JS implementations (open sores), MS atleast has superior runtimes.
Oh man, they got the aps guy.
Any one of us could be next!!!!
Oh, don't forget to allow powershell scripts to run.
No, like sabotaging a dominant office suite software through undocumented DOS API so that it would stop working and force users to switch to then stagnant Office.
...and how does this affect my PC running UNIX? Really? Not at all, you say? So... fake news?
Hurray for alarmist bullshit! You know what's even worse? Past PDF and DOC viruses that just needed you to open the file and not hover over anything.
Exactly... you must be stupid enough to open the e-mail, then open the PPT... but look... you do not need to click the hyperlink to get infected... Good Lord!!
Most malware attacks can be described based on platform and vector of attack. From what has been described here, I am going to guess (because it is not specified) that we are talking a Windows OS running on (likely) an x86/x86-64 architecture with some version of PowerPoint and PowerShell installed. The vector is malicious file that you have to copy/download, open, and hover. Ninety-nine percent of all malware is limited is limited by platform just due the nature of vulnerabilities and the code it takes to exploit it. And of that 99 percent, 95 percent (at least) targets one platform in particular (Windows on x86-64). Leaving out or downplaying these details would be like the Weather Channel using the New Orleans forecast to describe weather threats throughout the country.
And bundling of said office suite software for effectively free, resulting in an installed office suite that they then broke backwards compatibility with once the adoption rate was high enough, forcing a massive upgrade cycle. They succeeded.
The cesspool just got a check and balance.
Are any other companies monopolies and taking out the existing dominant players?
The cesspool just got a check and balance.
The question was regarding their dominance, success and profitability. Those are directly the result of the PAST leadership, not the current one, which has largely been coasting and making minor changes to wring yet more revenue out of the existing products.
The cesspool just got a check and balance.
I'll take that for a 'yes'. Sorry to hear it.
CLI paste? paste.pr0.tips!
No, really just curious why you seem to have a hard-on for me recently. 30% of your posts for the past week have been replies to my comments.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Yes, I follow you around, and then I specifically reply to *your* comments. I rolled some dice to obtain the next uid to dedicate 30% of my comments last week to, and it was yours.
It absolutely can't be just coincidence, or the fact that I often don't bother commenting unless I stumble upon something outstandingly stupid, and you just happened to be a lot of that last week.
It's funny though how this shows how badly you want a little attention.
CLI paste? paste.pr0.tips!
It's not just the past week, that's only how far back i felt like looking at your comment history. You go right on and think whatever you want about me, but my point was more that I don't want your attention. You have a tendency to not add anything to the conversation... and I do enjoy a good troll. You just aren't one.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
think whatever you want about me
There's the issue. I don't think anything about you (*). I usually don't even look at the name of whoever I'm replying to. So you can stop right there.
(*) Of course, after *this* conversation, I'm convinced you're egocentric, obnoxious and pretty much what I'd put in the "idiot" drawer. But hadn't you pointed it out to me, I hadn't even known about you, nor about that fascinating 30% number. Speaking of "nothing better to do"...
CLI paste? paste.pr0.tips!
> Comments on a reply to an AC, from someone with a sig stating that they don't reply to AC posts, to point out that they replied to an AC.
> Claims they don't look at usernames
Right-o, then.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
> Misrepresents what was said to appear to have an argument
> Pulls it off ham-fistedly and only demonstrates massive reading comprehension issues.
Look out for big words like 'usually' and real long difficult phrases like 'of whoever I'm replying to'. If you need it spelled out, it was your *sig* I looked at, and made me check the pare--- how can you possibly need this explained?
CLI paste? paste.pr0.tips!
If you think I find this any less entertaining than you do, you're mistaken. Just keep wasting your time arguing with me...
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I don't think you find this entertaining, but I do see how pretending I'm trying to troll you is the only way to avoid confronting yourself with your own stupidity. Way to bullshit yourself.
CLI paste? paste.pr0.tips!
Yeah, I'm so stupid that I'm able to live a damn fulfilling life working for myself. Sorry, too much happiness in my life to let you get to me, bro.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
So fulfilling, you imagine being stalked on slashdot and start wading through my comments (I suppose the irony is lost on you here) to count how many are replies to yours.
You being happy I have absolutely no issues believing -- that's actually pretty common (see that other guy here with that "Happiness in intelligent people is the rarest thing I know" quote in his sig.). One might think it'd be depressing to be stupid, but (as seems to be the case with you too) stupid people tend to not realize they're stupid -- mainly due to being stupid. So there's nothing unsurmountable in the way on their way to happiness.
Yes, it's easier for you to believe I'm trying to troll you, but I really am not. I genuinely think you're genuinely stupid. Sorry.
CLI paste? paste.pr0.tips!
So fulfilling, you imagine being stalked on slashdot and start wading through my comments (I suppose the irony is lost on you here) to count how many are replies to yours.
I wouldn't really say I waded through them, I didn't even get through the first page. Keep deluding yourself. I'm not the one who has nothing better to do than follow after people on the internet to tell them I think they're stupid.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
About a million, part of those, include actually finding, buying/getting and installing a compatible powerpoint version!
0.0.0.0 cccn.nl
0.0.0.0 basisinkomen.nl
0.0.0.0 netart.pl
0.0.0.0 chnet.se
* Per source article http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard-gootkit/
APK
P.S.=> For the best in hosts file based protection vs. this & other threats online (most use hostnames vs. IP addresses is why)? APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/