Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Malware Downloader Can Infect PCs Without A Mouse Click (engadget.com)

Posted by EditorDavid on from the malware-from-mouseovers dept.

An anonymous reader quotes Engadget: You think you're safe from malware since you never click suspicious-looking links, then somebody finds a way to infect your PC anyway. Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer even if you don't click anything. All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file. According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation. The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script.
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."

25 of 151 comments (clear)

  1. No Clicks! Wow! by Anonymous Coward · · Score: 5, Interesting

    So, I receive a suspicious email, which I need to click on to open. That email contains a PowerPoint attachment, which I need to click on to open. Once done, I can be infected with a mouse-over rather than a click.

    Zero-click malware. Meh.

  2. "Infects without clicking"? by K.+S.+Kyosuke · · Score: 4, Insightful

    The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script.

    Sooo...the file opens itself without clicking, too? Or how exactly does that work?

    --
    Ezekiel 23:20
    1. Re:"Infects without clicking"? by Anonymous Coward · · Score: 5, Informative

      Sooo...the file opens itself without clicking, too? Or how exactly does that work?

      Slashdot is run by morons who specialize in click-bait headlines. That's how it works.

    2. Re:"Infects without clicking"? by K.+S.+Kyosuke · · Score: 2

      But can they make click-bait headlines that work without clicking? That is the real question.

      --
      Ezekiel 23:20
  3. This just in... by green1 · · Score: 4, Insightful

    Opening suspicious files is still dangerous.
    Who woulda thought?

    As others have pointed out, this "no click" malware requires you to download and open a malicious powerpoint file, and then hover over the link contained in the file before it can infect you.
    If anything, this seems far LESS of a risk than many other attack vectors that also require opening malicious file attachments in email. (usually opening the installer itself instead of a powerpoint file)

    That said, WTF powerpoint? who makes a mouseover capable of downloading and installing something? c'mon guys, how stupid do you have to be to allow this sort of behaviour in your file format?

    1. Re:This just in... by StormReaver · · Score: 2

      ...how stupid do you have to be to allow this sort of behaviour in your file format?

      Who's stupider: the company that continuously and intentionally programs severe defects into its products, or the people who continuously and intentionally lock themselves into those products despite knowing this?

  4. Friends don't let friends... by RyanFenton · · Score: 2

    Friends don't let friends install Microsoft Office.

    Seriously - once you've got someone to open anything in MS Office, the scripting allowed in those formats means that few vulnerabilities are a very large surprise. That, and if you've ever had to work for a client that demands a large degree of Office interop or automation, you become acutely aware of how messy those formats have become over the years.

    Don't get me wrong, in 'friendly' settings, it's got a nice set of features, and there's a reason that many folks allow their careers to be tied into it - but it's not a tool you want anything internet-related to connect to in any way, if you can help it. You're potentially handing over the keys to your computer when you open any of those formats from a potentially unfriendly source.

    At least lock it behind a virtual system if you're going to open anything from the random internet.

    Ryan Fenton

  5. Re:No Clicks! Wow! by rudy_wayne · · Score: 5, Insightful

    Meanwhile, the two biggest problems are ignored.

    Problem 1 - User stupidity. You get an e-mail with a "finance-related" subject, such as 'Invoice' or 'Order #'. But there's a Powerpoint file attached. Since when are legitimate invoices sent as Powerpoint files?

    Problem 2 - Microsoft stupidity. The ability of Powerpoint to run an external executable file (in this case powershell) is a HUGE design flaw that has become a major source of malware distribution.

  6. Re:Powerpoint by AK+Marc · · Score: 2

    Now I want to test it in preview through Outlook.

    --
    Learn to love Alaska
  7. Re:End user training. by fyzikapan · · Score: 4, Interesting

    Every office worker? This is particularly nasty. You need one person to fall for it and stick the file on a SharePoint site or wherever. The rest is easy - people are conditioned to having to click the trust document button (or whatever it's called) every single time they open up an Office file. It's just a routine step in opening a file.

  8. Re: No Clicks! Wow! by Anonymous Coward · · Score: 5, Funny

    1... 2... 3. It takes three clicks to get to the center of a PowerPoint.

  9. Windoze duh by fnj · · Score: 2, Insightful

    Smells like Windoze crap to me. Linux and BSD are the fixes for this.

    1. Re:Windoze duh by Anonymous Coward · · Score: 3, Insightful

      I wish people would stop posting that. There is nothing technical about Linux to prevent exactly the same thing from happening. The reason it isn't happen as much on Linux are because Linux users are usually more technically proficient, haven't demanded "auto-run" features all over the place, and don't fall for fishing attacks nearly as often.

      If Linux saw the infusion of technical illiteracy that Windows has had, all these things would be happening to Linux too, because the market would demand endless simplification in the name of "ease of use". If pointy-haired bosses and Aunt Elma were the major market forces shaping Linux, it would have the very same kinds of problems.

      TLDR; it's not Linux, it's the user community OF Linux.

  10. Wrong by shellster_dude · · Score: 2

    Even after you open the Powerpoint and hover over the link, you will still be prompted with a scary prompt to Allow the WSF or JS(E) or VB(E) or ..., so you still have to click at least once.

  11. No clicks? Sure... by viperidaenz · · Score: 2

    If you're using an Office product older than Office 2010.
    Since then you need to click "Enable" or "Enable All (not recommended)" to on the security prompt to allow the script to run.

    So yes, no clicks if you're using Office 2007 or earlier.

  12. Re:So this only affects Windows? by viperidaenz · · Score: 2

    Seriously, you have to open the file AND hover over the link?

    No
    You have to open the file, hover over the link AND click the appropriate button on the Protected View security prompt.

    I guess you could avoid the click by tabbing off the "Disable" button then using space or enter. Of if you have a touch screen you could tap one of the enable buttons.

  13. Re:No Clicks! Wow! by Darinbob · · Score: 4, Insightful

    But it is a fundamentally stupid idea. There is no need for it. So what if some users want it, let them use a plug in or other tool if they insist on automatically executing code received over the network.

  14. Re:No Clicks! Wow! by Gr8Apes · · Score: 2

    And I am continually amazed with statements such as "Microsoft stupidity". If MS is as stupid and as bad as the OS and App evangelicals claim how do you explain their dominance, success, and profitability? If their product line has been so obviously bad how did they achieve their success?

    You only need to look at some of the anti-monopolistic practices MS has been convicted of to answer your questions. For a couple of others, like Netscape, yeah, they pretty much screwed themselves.

    --
    The cesspool just got a check and balance.
  15. Re: Easy fix.... by mspohr · · Score: 2

    In the real world, people do all kind of "inappropriate" things such as send invoices as ppt, xls, doc and docx, spreadsheets as pdf, ppt, etc.
    In the real world, people are busy just trying to get their work done and dealing with clowns doing the wrong thing is just a speed bump.

    --
    I don't read your sig. Why are you reading mine?
  16. Re: User Friendly Features by KGIII · · Score: 2

    Linux is, by default, more secure than the Windows OS used to be. Microsoft has come a long ways, with regards to security. Linux uses permissions, meaning that things like applications don't get installed without some effort on the part of the user. A user account is also limited in accessing files that it doesn't have ownership of. Things like system files can not, easily, be modified by the user - unless the user makes a specific effort to do so. Windows didn't even have permissions, for quite some time.

    As always, the biggest security flaw is the operator. Microsoft has done a great deal to lock things down, but it still has to remain simple and familiar, while retaining backwards compatibility. They put things like warnings up, make the user confirm their choices, and even have a working permissions system. Well, that's what the various articles say, I haven't actually used a Windows PC since Vista. I am trusting they are honest. Either way, the user is probably just gonna click OKAY until they get the desired result.

    --
    "So long and thanks for all the fish."
  17. Re: Easy fix.... by KGIII · · Score: 2

    As stated, I'd probably just delete it and send an email to the sender, asking them to submit their invoice again and asking that they do so in a sane format. If nothing else, in this case, it'd probably confirm that the person claimed to be the sender has no idea what the missive is actually about.

    However, I'd not be even a little surprised to find out that someone has, for whatever reason, composed their invoice in PPT. And yes, yes I am near certain that I'd delete it and request a saner format. I am tempted to try to reason out why someone would opt to use PPT for that, but I am not sure I can. Plain text works, even.

    --
    "So long and thanks for all the fish."
  18. Re: No Clicks! Wow! by turbidostato · · Score: 2

    "How many clicks does it take for those of use who do not own or use PowerPoint"

    Exactly that.

    "Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer"

    Does it installs into my computer or into my *windows* system?
    (once again)

  19. Re:It's a good day by BronsCon · · Score: 2

    I would imagine you could do the same with a Bash script instead of PowerShell, but no, this implementation uses PowerShell, which is a Windows thing.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  20. Re:No Clicks! Wow! by gl4ss · · Score: 2

    *That functionality is not a design defect. If it is a design defect than every single application object capable of invoking external scripts and executables are also design defects.*

    the design defect is that it's not running them in a sandbox. it very well might be running them in a sandbox and the script uses a defect in the system to break out(most likely). possibly that part links to the link preview functionality since you need the action to sprout out from a mouse hover(if it didnt need that they would have done it that way)

    BESIDES.. NO APPLICATION IS SUPPOSED TO BE DOWNLOADABLE FROM THE INTERNET AND EXECUTED WITHOUT ASKING THE USER. this is a clear defect in the product, since this is against ms policy of how windows should run - you can't INTENTIONALLY download a program without it nagging about if you really want to run it or not.

    futrhermore it is a design defect that breaks ppt functionality if you're supposed to be running those ps scripts to display content inside the ppt, since they are not available on all platforms that have ms published ppt viewers.

    I seriously doubt that in this case executing the script with the root rights is the intended effect.

    anyways, I know you're just trolling. because surely you would have personally used _some_ ms product and why the fuck wouldn't you if they were successful because they're good.

    --
    world was created 5 seconds before this post as it is.
  21. Re:No Clicks! Wow! by fisted · · Score: 2

    Monday June 12, 2017
     
    I now no longer reply to AC posts. 2017/06/04

    > Replies to AC post.

    --
    CLI paste? paste.pr0.tips!