Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

A PowerPoint 0-day and a Second Worm Targeting MS08-067

Microsoft has in recent days identified a new PowerPoint vulnerability that has been attacked in the wild prior to detection, and have also announced the discovery of another malware family attacking the same MS08-067 vulnerability that Conficker initially did.

For the PowerPoint vulnerability, use of the Microsoft Office Isolated Conversion Environment (MOICE) will help mitigate against attack, by converting existing binary office file formats into the XML format supported by recent versions of Office. Microsoft's write up (linked to above) demonstrates two examples of how the infected PowerPoint files might appear when first opened, as well as a description of some of the actions taken once an infected file is opened. Rather than using the MOICE, an alternative is to avoid PowerPoint files from untrusted sources or unexpected files from trusted sources.

The new worm family attacking MS08-067's vulnerability appear to have evolved from an older code base that previously was attacking MS06-040 and earlier vulnerabilities. What is different about this particular strain detected by Microsoft, is that the worm appears to have integrated some of the features in use by Conficker.

Apart from targeting the MS08-067 vulnerability, it also spreads via autorun, appearing very similar to how a Conficker infected device appears when connected to a system. Similar to Conficker, the worm downloads its worm payload via HTTP after initial infection, and uses a driver to patch the network layer to remove system outbound connection limits in Windows XP SP2.

Although the described added features are fairly generic, the particular grouping of them in worms attacking the same vulnerability is an interesting coincidence that could be worth some increased investigation. By being able to attach itself to the system to be loaded even in Safe Boot mode, it is going to make it harder than the average piece of malware to get rid of.

5 April 2009

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.