NEWS FROM THE LAB - Monday, July 17, 2006

Exploit Wednesday Posted by Sean @ 10:27 GMT

Another Microsoft Office exploit, Bifrose.UZ, was discovered last week. It drops a backdoor using PowerPoint (PPT) files. The exploit was discovered after a limited number of people received e-mail with the PowerPoint file as an attachment.

So what's the deal with Microsoft Office and why the exploits? There were Word fixes in June - Several Excel fixes were included in July's patches - And now there is a PowerPoint exploit that will need to be patched in August. See a pattern?

Hat Trick of Expliots

There's a growing trend here. We've been saying for some time that the lack of large virus outbreaks is evidence that the malware environment could be getting worse, not better. The bad guys want to make money - not make attention. So as a malware author, if you want to target a few prominent companies for the purpose of industrial espionage, you design your exploit to attack them within and then lay low. Spoofed e-mails are sent to company insiders and they, thinking it's just another document that they need to review, open it up and the backdoor gets installed.

The bad guys are taking advantage of three things:

The first is the patch cycle itself. These new exploits are being released after the second Tuesday of each month to maximize its lifespan.

The second is the common day-to-day routine of receiving Office files. There haven't been any new macro viruses to speak of for some time and so Office files (doc/xml/ppt) easily pass through corporate firewalls and people don't think twice about clicking on them. This avenue of attack is currently under the radar and is not perceived as a danger by end users.

And the third advantage is that the companies exploited don't want to talk about it. They dread the negative publicity as a victim of espionage. That's why the public doesn't know the name of last month's Excel exploit victim. Such hush-hush may be keeping some of these exploits from being reported.