• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Malicious PowerPoint File Contains Exploit, Drops Backdoor

Malicious PowerPoint File Contains Exploit, Drops Backdoor

  • Posted on:June 3, 2012 at 10:22 pm
  • Posted in:Malware, Vulnerabilities
  • Author:
    Cris Pantanilla (Threat Response Engineer)
0

We discovered a malicious MS PowerPoint document that arrives via an attached file attached to specific email messages. The file contains an embedded Flash file, which exploits a software bug found in specific versions of Flash Player (CVE-2011-0611) to drop a backdoor onto users’ systems.

Users who open the malicious  .PPT file triggers the shellcode within the Flash file that exploits CVE-2011-0611, and then drops “Winword.tmp” in the Temp folder. Simultaneously, it also drops a non-malicious PowerPoint presentation file “Powerpoint.pps”, tricking users into thinking that the malicious file is just your average presentation file. Based on our analysis, “Winword.tmp” is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other, more menacing threats such as data stealing malware.

Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.EVL and the dropped backdoor file as BKDR_SIMBOT.EVL. Reports, as well as our own analysis, confirmed that this kind of malware has been used for targeted attacks in the past.

Recent threats are no longer limited to malicious files disguised as ordinary binaries (such as .EXE file) attached to emails. These specially crafted files can be embedded in commonly used files such as PDF, DOC, PPT or XLS files. In this particular scenario, users are unaware of the attack since TROJ_PPDROP.EVL also displays a non-malicious PowerPoint file to serve as a decoy.

Reliable Vulnerabilities: Effective Infection Gateways

This case also shows that cybercriminals are continuously taking advantage of previously reported vulnerabilities in popular software such as MS Office applications, Flash etc. In a previous blog entry, we uncovered that old and reported software bugs such as CVE-2010-3333 and CVE-2012-0158 are still being exploited by attackers. This finding highlights two things. First, exploits created for reliable vulnerabilities remain effective cybercriminal tools. Second, most users do not regularly update their systems’ with the latest security patch, which explains why attackers are continuously exploiting these bugs.

Trend Micro protects users from this threat via Smart Network Protection™, which blocks the related email and URLs and detects TROJ_PPDROP.EVL and BKDR_SIMBOT.EVL. In this new era where simple documents can lead to information theft, users should be extra cautious before downloading files from email messages, especially those from unknown senders. Users should also regularly keep their systems updated with the latest security patch.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.