[conspire] (somewhat OT non-Linux security topic) New Powerpoint spam.

Rick Moen rick at linuxmafia.com
Sun Jun 25 21:01:06 PDT 2017


----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Sun, 25 Jun 2017 20:48:29 -0700
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at linuxmafia.com
Subject: Re: [skeptic] New Powerpoint spam.

Quoting Scott Peterson (scottp4 at mindspring.com):

> For your amusement.
> 
> There's a new malware distribution going through Europe right now.
> 
> The attachment is a single page powerpoint screen.   If you click on
> the attachment (Yes, I know, Rick)  It brings up a screen that says
> loading.  That's all.
> 
> Anyway, moving the mouse over the word loading triggers a macro that
> downloads malware to your system.
> 
> https://nakedsecurity.sophos.com/2017/06/14/infection-by-mouseover-what-you-need-to-know-about-powerpoint-spam/

Thank you for posting that.  

What surprises me is that there are still Microsoft Office applications
that autoexecute embedded macros without warning just because the user
opens an application.  We went through this in the middle 1990s with the
'Concept', 'Melissa', 'Wazzu', 'PLDT'/'PLDT97'/'Laroux E', 'CAR', 'SGV',
'W2KM_PSD','Tripicate', 'Caligula', 'W97M.Marker', 'Shiver', and similar
MS-Office macros written in Visual BASIC for Applications and Object
Linking and Embedding v. 2.[1]  Seems like -- incredibly -- they didn't
learn from that embarrassing episode.

But... um... this isn't quite that simple.


As usual, the antimalware firms that make money off this stuff have
started giving the particular observer implementation names:
Troj/Agent-AWLL
Gen:Variant.Zusy.239115
(There are probably more.  Typically, each major antimalware firm has to
mark territory by giving the observed thing a name, and then they all
have to be cross-referenced.)

The Sophos article (semi-)clarifies:  If MS PowerPoint is invoked to
load a file from the Internet (e.g., it's in the MS-Windows Temporary
Internet Files directory), it automatically opens in 'Protected View'
mode in which 'most editing functions are disabled'.  

Well, actually I exaggerate:  Sophos doesn't actually explain that
(because it's not in their interest for customers to actually understand
security), but Microsoft Corporation does:
https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653

So, actually, by default, moving the mouse over the word loading does
_not_ trigger a macro that downloads malware into your system, contrary
to Sophos, Ltd's assertion.  The truth of the matter is that, in a very
1990s flashback scenario[2], upon opening the from-nobody-in-particular
PowerPoint file, the user sees this cautionary dialogue:

https://sophosnews.files.wordpress.com/2017/06/6-warning.png

If the user is a nitwit and chooses 'Enable' or (worse) 'Enable All',
then 'Protected View' mode terminates ('Enable All' disables it
prospectively, too), and the user is now free to take extremely
self-destructive measures like hoving over the word 'loading' and thus
implicitly running the JScript Encoded File (.jse) -- a Microsoft subset
of Javascript -- which then downloads a bunch of MS-Windows .exe files
that then, _if_ the user is dumb enough to routinely operate with Local
Administrator authority, replaces

c:\windows\system32\attrib.exe
c:\windows\system32\cmd.exe
c:\windows\system32\mstsc.exe

So, seriously, this is not what Sophos described.  It's a bit closer to
the old 'Albanian virus' joke.
https://www.reddit.com/r/funny/comments/3l65rp/albanian_virus/


Anyhow, here's a thought:  Gosh, how about using LibreOffice rather than
MS-Office, especially for all Internet-sourced materials?  The open
source LibreOffice suite maintains full MS-Office compatibility, except
that it has only partial ability to run VBA macros because -- guess
what? -- they didn't want to replicate Microsoft Corporation's hapless
mistakes.  Also, its carefully limited VBA compatibility feature (and
that of LibreOffice's predecessor Apache OpenOffice) is disabled by
default.

https://help.libreoffice.org/Common/Using_Microsoft_Office_and
https://wiki.openoffice.org/wiki/Documentation/FAQ/Macros/Can_I_use_my_Microsoft_Office_macros%3F
http://www.openoffice.org/press/statement-proof-of-concept-virus.html

 


[1] In the MS-Word and MS-Excel applications of the day (and, more
rarely, MS-PowerPoint), any application
with a VBA or OLE2 macro named AutoOpen (in .doc files) or Auto_Open (in
.xls files) was silently executed automatically and capable of doing a
great deal of harm -- but with an intended use in _templates_.
https://www.virusbulletin.com/virusbulletin/2015/06/throwback-thursday-macro-viruses-part-1-september-1999/
By the 2000s, newer MS-Office versions disabled autorunning of VBA/OLE2
macros by default, but still permitted users to enable that
functionality if they were really dumb, and some macro viruses to this
day successfully ask dumb users to do so.
https://nakedsecurity.sophos.com/2014/07/07/remember-macro-viruses-infected-word-and-excel-files-theyre-back/

[2] Prior to the newer MS-Office version starting with Office 2003, it
was common for network admins to go around frantically retrofitting
MS-Office 95, 98, and 2000 installations with a protective macro lodged
into the normal.dot or personal.xls (or other XLStart/* file) template
file for MS-Word and MS-Excel.  (Macro viruses always seek to lodge
themselves into the application's default template file so that they are
launched at all application startups thereafter, which will then let 
the macro virus modify every subsequent document/spreadsheet opened with
write access to put itself there, too.)   The protective macro disabled
AutoOpen / Auto_Open app functionality by default and instead sent up 
on-screen a warning dialogue to the user whenever such macros were
encountered (shown on
https://kb.cadzow.com.au/cadzow/details.aspx?ID=1376), permitting
opening the document _with_ macros or without, and recommending against
the former.  I had consulting clients where employees repeatedly set
macro viruses they received in the mail loose on file servers (into
documents they could write to), and, when questioned about why they did
the dumb thing, said 'I figured the macro was there for a purpose, so I
said yes.'



_______________________________________________
skeptic mailing list
skeptic at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/skeptic
To reach the listadmin, mail rick at linuxmafia.com 

----- End forwarded message -----




More information about the conspire mailing list