Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

PowerPoint 0-Day Points to Corporate Espionage 111

Rakesgate writes "A second Trojan used in the latest zero-day attack against Microsoft Office contains characteristics that pinpoint corporate espionage as the main motive, according to virus hunters tracking the threat. This eWeek story walks through the attack, which uses a tainted 18-slide PowerPoint file, a Trojan dropper, 2 Trojans and a server in China that is used to communicate with compromised machines." From the article: "'Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing, especially since there is no patch for this vulnerability,' Huger added. Microsoft plans to issue a patch on August 8 for users of Microsoft PowerPoint 2000, Microsoft PowerPoint 2002 and Microsoft PowerPoint 2003. In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally."
This discussion has been archived. No new comments can be posted.

PowerPoint 0-Day Points to Corporate Espionage

Comments Filter:
  • by neonprimetime ( 528653 ) on Friday July 21, 2006 @11:01AM (#15756884) Homepage
    In the meantime, anti-virus experts are urging Microsoft Office users to be on the lookout for suspicious attachments, even those that appear to come from colleagues internally

    But what if you receive a Power Point presentation from your manager called "ReadThisOrYourFired.ppt"? It looks suspicious, but oh the dilema.
    • by Mr. Bad Example ( 31092 ) on Friday July 21, 2006 @11:03AM (#15756903) Homepage
      > But what if you receive a Power Point presentation from your
      > manager called "ReadThisOrYourFired.ppt"?

      I'd quit. I refuse to work for anyone who can't tell the difference between a possessive pronoun and a contraction.
    • Gotta be a scam. My boss CAN spell.

      And he'd write in German!
    • Re:Supsicious Files (Score:1, Informative)

      by Anonymous Coward
      But what if you receive a Power Point presentation from your manager called "ReadThisOrYourFired.ppt"?

      Open it in OpenOffice.org Impress.

      This is an example of why it's risky to use file formats that are only supported properly by a single application.

    • by WhiteWolf666 ( 145211 ) <sherwin AT amiran DOT us> on Friday July 21, 2006 @12:08PM (#15757530) Homepage Journal
      Simple. You're really not thinking like a PHB. Stop thinking like an engineer, and start thinking like a moron!

      You receive said PowerPoint. You immediately set out to install a special PowerPoint Viewing Cart, complete with portable generator, portable PC, portable projector, and portable screenbooth (think 4 Chinese folding wall screens with a roof). Even though you've created a special system to "isolate" your PowerPoints, you make sure it's got full network access via 802.11, with RW support on all shares, globally.

      If you can't build this setup by stealing the parts from a coworker's desk or the conference room, order them all. Better yet, setup an auction website where suppliers can bid on the various parts of your setup. You, of course, send money before you receive product; after all, you've gotten the lowest cost option, so you can risk the capital.

      Then, watch said PowerPoint on the PowerPoint Viewing Cart. Proceed to tell boss that you thought this high priority PowerPoint was, indeed, from him, and that since it blew away the PowerPoint Viewing Cart, you now need to spend the rest of the week repairing it. If he asks you why you are repairing it, make sure to make it clear that you want him to be able to view the high priority PowerPoint he had just received, "ReadThisNowOrYourStockOptionsWillExpire.ppt" . Explain to him the virtues of private viewing environment, portable generator, and dolby surround sound.

      Voila! Much like any MSCE, you've turned a Microsoft Product into a never ending source of contract work, all without quitting your day job.
  • by Linkiroth ( 952123 ) on Friday July 21, 2006 @11:02AM (#15756890)
    "Symantec's Huger said the sophisticated nature of the attacks suggest it is the work or well-organized criminals associated with industrial espionage." Now, now, Symantec. Everyone who's seen any 007 movie knows. It's not the criminals that are taking down the evil corporation... ...it's the british. ::walks off, whistling James Bond theme::
  • August 8? (Score:2, Interesting)

    Who wants to take bets that someone will have a patch out there before MS does, much like with the WMF flaw? [com.com]

    How many more machines have to be compromised before users begin to take matters into their own hands?

    The arrogance of MS is astounding. And don't say it's because of testing.
    • Re:August 8? (Score:3, Interesting)

      by evil agent ( 918566 )
      Testing is a big reason. But the bigger reason is unmaintainable code.
    • How many more machines have to be compromised before users begin to take matters into their own hands?

      The arrogance of MS is astounding. And don't say it's because of testing.


      In the words of Paul Thurrott, "Ah well."
    • Doubtful. The WMF flaw was a bigger threat, as far as those affected. I also imagine that the WMF flaw got a lot more press than this one. Those two resons combined made it a high profile patch for someone to show off and crank one out before MS.
    • Re:August 8? (Score:5, Informative)

      by andrewman327 ( 635952 ) on Friday July 21, 2006 @11:26AM (#15757128) Homepage Journal
      So do you think that OpenOffice has similar flaws waiting to be exploited? Does that program provide true security or security through obscurity?
    • Re:August 8? (Score:4, Interesting)

      by Opportunist ( 166417 ) on Friday July 21, 2006 @11:33AM (#15757186)
      The WMF Exploit was not targeted. It was sold as a roll-your-own-spreader kit and a lot of people used it to spray their own malware over the net. It was a threat to the net community at large.

      The office exploits (not only this one, but also its predecessors that targeted Excel and Word) are carefully crafted, targeted attacks against very specifically selected companies. It's even for AV companies not an easy task to get a hold of some of these malware products, so it is very, very unlikely that we'll see a sizable spread to the wild any time soon (at least before the next patchday). Of the various Office-Overflow-Exploits, I only know of a Word variant that had any remotely relevant in the wild spread.

      Doesn't warrant writing your own patch code. Especially with StarOffice being a very handy replacement to the problem.
  • by bigtimepie ( 947401 ) on Friday July 21, 2006 @11:06AM (#15756939)
    lookout for suspicious attachments, even those that appear to come from colleagues internally
    Sorry, Boss, I never got those reports... the IT guy told me I shouldn't open attachments until the new MS patch is out!
  • MS, grrr (Score:5, Interesting)

    by joe 155 ( 937621 ) on Friday July 21, 2006 @11:11AM (#15756984) Journal
    I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th. Why not let those people who are willing to risk the very small possibility of a problem caused by the patch but don't want to take the serious risk of their system getting cained by some black hat in China get the patch when they want it?... especially home users for whom a patch would pose very little problem even if it was badly written
    • Re:MS, grrr (Score:1, Flamebait)

      by Nutria ( 679911 )
      especially home users for whom a patch would pose very little problem even if it was badly written

      That's just about the dumbest thing I've ever read on Slashdot.

    • why force everyone to wait until the 8th.

      The theory is that once the patch is out, crackers will reverse engineer it to make new exploits, increasing the security risk for other companies.

      It also gives Microsoft a good excuse to be slow to patch, but that's just my own personal theory. ;)
    • Re:MS, grrr (Score:2, Funny)

      by Anonymous Coward
      I understand that some people like getting their patches every first tuesday of the month, but why force everyone to wait until the 8th.

      If you're waiting until the 8th Tuesday of the month for your patches, you'll be waiting a long time.
  • Chinese Firewalls (Score:3, Interesting)

    by ArcherB ( 796902 ) on Friday July 21, 2006 @11:11AM (#15756988) Journal
    Why can't the Chinese set up thier firewalls block this kind sh*t?

    • by MarkByers ( 770551 ) on Friday July 21, 2006 @11:22AM (#15757081) Homepage Journal
      Why can't the Chinese set up thier firewalls block this kind sh*t?

      That's a ridiculous suggestion. It's not the job of the Chinese government to monitor all traffic going in and out of China.

      Oh wait..
    • by vishbar ( 862440 )
      [Puts on tin foil hat]

      Sometimes I'm suspicious of the Chinese government..well, actually, ALL the time I'm suspicious of the Chinese government. They call it corporate espionage...what if it's just...well...regular espionage by a curious Communist nation?

      Of course, this is complete tin foil hat speculation with no good evidence to back it up, but the suspicion still rests in the back of my mind.
      • by ArcherB ( 796902 )
        In a communist country, all business is owned and controlled by the government. So corporate espianage is government spying. (insert mother russia joke here).

        So, put your tin-foil hat back on. It is warranted.
    • Try again...you are asking the wrong question.

      Won't may be more appropriate. Why would our 'enemy' and largest competitor want to stop themselves from stealing our secrets?
      • Enemy? (Score:2, Troll)

        by MarkByers ( 770551 )
        Enemy? Just because China is becoming a powerful nation doesn't mean you have to neutralize them before they overtake you. If America can be a powerful nation without fucking up the rest of the world, I'm sure China can do it too. Probably they'd do it a lot better actually. Stop killing everyone and try to learn how to get on with the people around you, even though they may be different to you.
        • If America can be a powerful nation without fucking up the rest of the world, I'm sure China can do it too.

          What planet is this America on? The one I live in did fuck up the rest of the world to become a powerful nation, and continues to do so in order to retain that power.

          Read your history books.
          • What planet is this America on? The one I live in did fuck up the rest of the world to become a powerful nation, and continues to do so in order to retain that power.

            Read your history books.


            Yeah, I studied history. We sure did fuck those poor civilians in Berlin when we dropped all that food on them during that Berlin Airlift thingie. And stopping the Nazis sure did fuck the world up. Ousting that Milosivich guy because he was raping and killing Muslims... I mean, how is that any of our business? You do
            • Actually, I was referring to things like the Phillipine-American war, where U.S. attacks into the countryside often included scorched earth campaigns where entire villages were burned and destroyed, torture (water cure) and the concentration of civilians into "protected zones" (concentration camps). Many American officers and soldiers called this war a "nigger killing business". Or, you know, how the Americans raped and killed the NATIVE Americans who our forefathers stole our land from. Maybe your forget
              • I'm tempted to add all South American incidents, but I don't have all night. GP should read up on, dunno, Chile, Nicaragua, Cuba, United Fruit Company, ...
                Oh, politics on /. (and I always thought _our schools are bad)
        • Ok...I will bite this once
          Enemy...as in because through your close minded hate for America you forget that China's treatment of their people is an order of magnitude worse. Here we worry bout the government trying to make spying legal...there they worry about watching their family murdered in front of them if they even mutter a word against the government spying on them. Lets be realistic please. Unless you are Chinese and part of the in group...you are pretty much china's enemy. Enemy also doesn't mea
    • Let's see... Malware writers invest time to infiltrate companies in the so called "free world" to deposit payloads that drop keyloggers and password gatherers that send info towards servers standing in China...

      Nope, can't see a reason why the Chinese government would not block that...
    • Because then patching a severe 0day exploit would take 5 weeks Regular-Government-Time instead of the regualar 3 weeks.
    • Why can't the Chinese set up thier firewalls block this kind sh*t?

      Who says this isn't the Chinese government sending out the PPT files?
  • Click ME! (Score:3, Funny)

    by digitaldc ( 879047 ) * on Friday July 21, 2006 @11:14AM (#15757015)
    • Subject: Click on this attachment, and all your wildest dreams will come true.


    Well, it worked for Napoleon Dynamite....."CLICK"

    ----->BSOD: All Your Assets Are Belong To Us!
  • "Sombody needs to tell the Chinese to stop doing this shit..."
  • OpenOffice.org wants YOU !
  • by panaceaa ( 205396 ) on Friday July 21, 2006 @11:19AM (#15757052) Homepage Journal
    Is corporate espionage actually valuable? I'm currently working at Adobe, and development plans are pretty widely discussed amongst employees. If something were to leak, I'm not sure what the value of it would be. The only real data points that are heavily protected are financial results and projections, and the product release dates that those rely on. But I'm pretty sure those are only protected for Wall Street purposes.

    What kind of data do corporate spies hope to obtain? Would that data be actionable -- e.g, could a company come up with a competing product and be first to market if another company's already half way there?
    • by toybuilder ( 161045 ) on Friday July 21, 2006 @11:24AM (#15757095)
      Corporate espionage can include things like customer and vendor lists, and product pricing details. And, many companies are quite secretive about their leading edge R&D.
    • by ikandi ( 699246 )
      Not for Adobe competitors - there aren't any.
      • Don't be silly :). I really can't talk about competitors openly, but you needn't look much farther than the Microsoft Expression [microsoft.com] suite to see there's competition. Almost every Adobe product has competitors.

        • Almost every Adobe product has competitors.

          Yes, and Microsoft Windows and Office has competitors, but in the broad view of things, those competitors don't seem very relevant. I mean, for vector graphics, it would seem that there is only one real choice, and that's Illustrator. Indesign has competitors but in many respects, the markets for those are different. For raster images, Photoshop seems to be the only product in its class, other image programs exist but either have a different focus, a different
    • by Angostura ( 703910 ) on Friday July 21, 2006 @11:31AM (#15757162)
      So you knew about the Macromedia buyout how many weeks in advance?
      • Valid point :). But again, that has a lot to do with the stock market. I think a better argument is toybuilders' -- Channel operations, distribution channels, and suppliers are definitely ripe for competitive challenges. A down-to-earth example is eBay Powersellers, who tightly guard their inventory suppliers since someone could easily come in, buy from the same supplier, sell for a slightly lower amount, and steal the entire market.

        So after reading the points of you two, I realize there's a lot more to
    • by Renraku ( 518261 ) on Friday July 21, 2006 @01:32PM (#15758310) Homepage
      You know that the chinese can make 90% accurate ripoffs of expensive-but-cheap items like Oakleys, rolexes, etc..you know how? Espionage. Most of the time those near-perfecto replicas come from a Chinese factory that got ahold of the plans and/or schematics for a device.

      The Chinese could manufacture a PS2 controller for like $5 if they wanted. Perfect replica of the official Sony one, down to the markings and logos.
    • Is corporate espionage actually valuable?

      Depends on how you define espionage. There's the obvious, like a compeditor stealing trade secrets, customer lists, et. al. .

      If a compeditor knows who your customers are, and how much they're paying, their sales guys can target them with sales pitches designed to undercut your price. Even better if the compeditor had a list of, say, all help desk tickets for one of your products. Then they'd also know just what your customers didn't like about your product, and co

      • During the tests the British Challenger tanks had difficulty with navigation and were unable to work out exactly where they were. The British use the satellite global positioning system, GPS, for navigation, whilst the French had no such problems with their navigation.

        The Americans also claimed that their navigation suffered difficulty and it was later alleged that the French were covertly interfering with a GPS signal.


        Would you buy a tank whose GPS navigation can be interfered with by the French?
        • Would you buy a tank whose GPS navigation can be interfered with by the French?


          [humor]
          So... are you saying the French were providing a public service by jamming GPS signals?
          [/humor]

          As point of fact, the Greek government didn't... but they didn't buy the French tank either. They went with the German one, which either doesn't use GPS or ( unlikely ) wasn't affected by the jamming.
          • In an actual war, one's opponents might try to interfere with GPS navigation, so perhaps one should consider that when buying tanks. As you said, the German (Leopards) weren't affected.
    • Is corporate espionage actually valuable? ... development plans are pretty widely discussed amongst employees. If something were to leak, I'm not sure what the value of it would be. The only real data points that are heavily protected are financial results and projections, and the product release dates that those rely on. But I'm pretty sure those are only protected for Wall Street purposes.

      What kind of data do corporate spies hope to obtain? Would that data be actionable -- e.g, could a company come up wit
    • I work in Oil and Gas, I'm a finance guy who does M&A. We've got a LOT of assets out there. Everything we own falls into the following categories. 1. Assets we are trying to sell 2. Assets, we'll sell for the right price 3. Assets, we are not trying to sell 4. Assets, we will not sell For category 1. there is a directory that has the data on these assets. We've got our "sales strategy" as to if we will use auction, private sale etc. and the price we want to get for these assets and the lowest pr
    • The financial stuff is great, even if only used as financial info. There is this thing called the stock market, where advance knowledge can be translated into a SHITLOAD of money...

      Then, since this is the Chinese:

      Purchase orders for submarine parts may reveal designs.
      Ripping off Apple is easier if you know in advance.
      Future hacking may be easier if you can swipe some source code.
      A list of employees at a defense contractor helps with social engineering.
  • by the_rajah ( 749499 ) * on Friday July 21, 2006 @11:20AM (#15757065) Homepage
    I'm still using Office 97.
  • In a situation like this? Assuming the exploit isn't looking to just get the text of the Powerpoint, but somehow index your machine. Dropping powerpoint in a seperate vm, once there is a known exploit like this would be sure to "partition" your HD would it not? while not an optimal solution, it seems to be a possible short term one.
    • Just astounded what would people do just so that they won't have to work with the Linux/OSS nightmare...
    • If you are exploited on a VM, I doubt it's altogether different from being exploited on a host. The only real positive thing is at least you don't have to worry about the host being exploited. The real question is how much valuable data are you leaving in the VM?
    • VMs don't share the "real" hard drive with the host OS. There is just a file on the host that represents their hard drive. If the virus wants to partion it, hey, it's just bits in a file.

      Yes, virus and spyware researchers use VMs all the time. They keep a disk image of a known clean machine. When a new suspicious program comes along, they copy their disk image, boot it up, run the virus program, and look for the deltas. It's much easier than keeping a "clean-room" PC around and reghosting the disk ev

  • ... have viewed the PPT presentation of Paul Allen's yacht, circulating a while back. Or other PPT things that get mailed around almost as often as the funny video clips we send each other.

    And this is not a virus: I choose to send these to my friends :-(

  • Word, Excel, IE, PowerPoint, OE, Windows itself.

    I'm now preparing for the 0-day notepad exploit...
  • Seems they've got reason to worry [popularmechanics.com] after all. The "we all do it" argument is bullshit. China's government is notorious for economic espionage and many of its corporations, probably most, are owned by military officers or the military as an organization. The fears about China are grounded in reality.
    • America's government is notorious for economic espionage and many of its corporations, probably most, are controlled/owned by military officers or the military as an organization. The fears about America are grounded in reality.

      Oh, wait, did I copy that wrong? I was just thining about all the silly IP laws the USA tries to export and companies like Lockheed Martin, General Dynamics, Diebold, Blackwater, Haliburton...
    • If I were the China government and I wanted to carry out some industrial espionage, I will choose a server in India, Taiwan, or wherever not within my jurisdiction to relay the traffic. No one will be that stupid to use their own machine for serious operation, esp with this sort of sophisticated zero-date crack.

      If you look up 8800.org (the one that the powerpoint crack sends keylog data to), you will know that it hosts free DNS forwarding service (excuse if my terminalogy is wrong). It provides the same
  • "Safe to assume" (Score:3, Interesting)

    by kripkenstein ( 913150 ) on Friday July 21, 2006 @12:06PM (#15757502) Homepage
    TFA says:

    Once this type of attack is out, it's very unusual for it to be limited to just one company. I think it's safe to assume that it's ongoing.

    Me, I think it's safe to assume there are 10 undiscovered corporate espionage trojans out there for every one we hear about. Scary.
  • by db32 ( 862117 )
    Is this really considered a 0 day anymore? I mean...its a 0 day exploit on day 0. We are kind of past that now aren't we?
    • Re:0 Day? (Score:1, Informative)

      by Anonymous Coward
      It's a 0 day exploit as long as their is no fix. If there is a fix that was released 3 days ago, it's a 3 day exploit. The time period is supposed to indicate how much time people have had to update and patch the broken software.
      • Re:0 Day? (Score:3, Interesting)

        by LocalH ( 28506 )
        That's not the original use of 0-day. It came from the warez scene, and indicated warez that took "0 days" from retail release to get a cracked version out - generally acquired from an inside source and cracked before retail release.
  • "Symantec's Huger said the sophisticated nature of the attacks suggest it is the work or well-organized criminals associated with industrial espionage."

    Fortunately Symantec is coming up with several ways to protect and save us from this nefarious criminal underground. Sorry Symantec, but my suspicion alert level is glowing bright red.

    I don't recall the last time my machine was infected by software that another piece of software could actually do something about it (e.g. virus, trojan, etc). Mostly its
    • Have you ever tried to sell something that was of marginal-to-dubious value to begin with? If you don't have some kind of dramatic scare tactics, you won't sell a thing. And you can't have scare tactics without a few scares.

      I've run a hardware firewall ever since I got high speed net access. The only spyware I ever got was from a CD-ROM Borland game in 1998 just as the ideas for spyware were being developed. And I've never gotten a virus at home (laptop users at work are a different nightmare.) "Not

  • Is this trojan a problem for the OOo program Impress?
  • It sends the stolen information to a computer in China?

    Does this mean if you make sure your slides all have the magic word in white on white in them somewhere, they'll get gobbled by the People's Great Firewall and the perps won't get your data?
    • For all our new TOP SECRET programs, we must pick suitable codewords.

      Transmit by DEMOCRACY channels only!
      For FALUNG GONG usage only!
      Authorized for TAIWAN program only!
      Access restricted to FREE TIBET personnel only!

  • I asked a few folks I work with back when the last (actually, the last before the last, the Word 0-day) exploit came out, whether it was feasible in a corporate environment to configure servers to strip attachments from any email where the mail (and the attachment) are not signed by a recognizable, valid cert.

    Obviously, this requires a PKI of some sort, but for those companies which already do, it seems this would be a simple, easy way to virtually eliminate the possibility of outside trojans / viruses / wh

Heisengberg might have been here.

Working...