Next Up: Office Exploits Reloaded
Friday April 3, 2009 at 1:43 am CST
Posted by Chen Yu and Shinsuke Honjo
We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.
McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day.
As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:
- fssm32.exe: 428,032 bytes (Muster.c trojan)
- IEUpd.exe : 45,056 bytes (Muster.c trojan)
- setup.exe : 13, 1072 bytes (Muster.c trojan)
- PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
- ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)
Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.
Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.
April 3rd, 2009 at 06:24
Will the particular PPT/PPS files infect users who are running as standard users on XP? How about “power users” on XP Pro? How about Vista users? Now that we have two common MS OSes (soon to be three with the release of Windows 7) I’d like to know which versions are vulnerable as well as knowing whether or not I need to worry about my non-admin users. Few if any blog entries and VIL.NAI.COM reports include this info.
April 3rd, 2009 at 12:56
[...] Powerpoint – New Unpatched exploit being used in targeted attackshttp://www.eweek.com/c/a/Security/Microsoft-Warns-of-Attacks-on-PowerPoint-Vulnerability-345397/http://www.avertlabs.com/research/blog/index.php/2009/04/03/next-up-office-exploits-reloaded/http://vil.nai.com/vil/content/v_154518.htm [...]
April 4th, 2009 at 16:06
[...] ovom trenutku mi smo svjesni limitiranih i izabranih meta napada.” Međutim, tvrtka McAfee je izjavila da je otkrila multiplicirane napade zaraženim PowerPoint [...]
April 7th, 2009 at 06:19
[...] As a follow-up to my colleagues’ blog post about the newest Office exploits, here is an analysis of one of the Microsoft PowerPoint Zero-Day exploits that once again are used [...]
December 12th, 2009 at 04:03
[...] a follow-up to my colleagues’ blog post about the newest Office exploits, here is an analysis of one of the Microsoft PowerPoint Zero-Day exploits that once again are used [...]