Microsoft warns of a new unpatched security vulnerability in PowerPoint. According to their security advisory, PowerPoint 2000, 2002 and 2003 up to Service Pack 3 are affected; so is PowerPoint 2004 for Macs. Currently cyber criminals are abusing specially prepared documents to infect computers in companies. This is how the so-called GhostNet started a few years ago as well.

Good news is that PowerPoint Viewer 2003 and 2007 as well as Office 2007 seem to be unaffected. If you get PowerPoint presentations by mail, only open them with these versions. Anyhow it seems a good idea to first check whether you expected that presentation from exactly that sender and if in doubt, contact the sender to verify it was really him sending the document.

As administrator of a company network you might want to setup a MOICE filter for incoming documents to sanitize them so they can’t lead to dangerous actions on the client PCs.

Dirk Knop
Technical Editor

The underground economy is a strange place. Sometimes you stumble over offers which sound really good – from the malware writer’s point of view. Recently we got aware of a german site selling a so called cryptor which should make the malware of the interested buyer undetectable for antivirus products.

When will they start with `buy one, get one free´? The underground economy is becoming increasingly service-orientated.

Such a cryptor adds its own unscrambling routine to the binary of an attacker and encrypts the rest of it. This would fool heuristic detections that search for certain code snippets representing functions in executable files, for example for requesting a network socket, performing file read/write, and so on. Also, a signature detection can be circumvented with a new cryptor version which slightly changes the encryption; this means that the malware author has to spread a new binary though.

Feature-wise the cryptor sounds very sophisticated: The coders promise sandbox detection, as well as detection of virtual machines like VMware and VirtualPC – which is very simple, a programmer at his/her very beginning can code that within 5 minutes. They also correct the PE-Headers of a windows executable after patching it, which else is an easy way to detect the cryptor. Additionally, they even did some quality-assurance with some common bots and backdoors and guarantee their cryptor to work with those. The programmers also emphase the ease-of-use of their crime-supporting-ware. In the according forums, plenty of such tools are offered – accompanied with discussions how to bypass certain antivirus solutions.

The price for this cryptor is very low, only 40 Euros. If you imagine that you get between 1 and 20 US-$ for data of a credit card or a whole identity stolen, this is just peanuts. Also included in this price: A guarantee to get a new cryptor version, should your one be detected by some antivirus product. The underground is becoming increasingly service-orientated.

Since we are monitoring the scene, these cryptors pose no real threat though. Most of the times they are quite trivial to detect. So purchasing them is a pure waste of money. Also think about this: Can you trust someone who offers you something criminal to help you with your crime? Your banking data or credit card numbers are of a certain value for the cryptor-seller, too…

Dirk Knop
Technical Editor