By Robert Vamosi
Special to ZDNet
Published on ZDNet News
July 25, 2006
Commentary -- Somewhere--perhaps in the United States, but more
likely, somewhere in China--a man walks out of a nondescript building,
casts his eyes upon the urban landscape around him after spending an
eight-hour day staring at a computer screen, and lights a cigarette.
He does not know his bosses by name or by face; he knows only that he
is paid, and paid pretty well, for his research. Like a legitimate
computer-security researcher, he uses automated testing tools against
Microsoft Office software, probing for buffer overflows, pointer
errors or negative integers in Word, Excel and PowerPoint. Unlike a
legitimate security professional, he does not report what he finds to
Instead, either he or his bosses will use this information for
corporate espionage, to create what's called a zero-day attack, using
targeted Trojan horses that exploit an unpublished flaw. Worse,
they'll wait until after Microsoft publishes its latest patches on the
second Tuesday of the month. They'll release their attacks the day
after, when everyone's distracted by the new patches--a day we'll call
Patch Tuesday under attack
Just a few years ago, Microsoft would, out of the blue, announce a
handful of patches, some critical, some not. The problem is--well,
there are many problems.
First, Microsoft found it hard to inform everyone of the critical
nature of the more serious vulnerabilities, especially if the
announcement went out on Friday afternoon at 3 p.m. Worse, say someone
did notice and hurriedly applied the patch, only to find on Saturday
morning that it broke some functionality somewhere else in the system.
Who would pay the overtime?
So--for the last two years, with only minor exceptions--Microsoft has
announced its patches on the second Tuesday of each month. System
administrators plan on it, and the general public has come to expect
it. On rare occasions, Microsoft has reissued a patch or two.
But software vulnerabilities don't follow timetables. In May, the day
after Microsoft released three updates, someone released a Trojan
horse based on a previously unknown flaw (also known as a "zero-day"
flaw) in Microsoft Word; Microsoft patched this in MS06-027. In June,
after Microsoft patched 21 individual vulnerabilities, there was a
zero-day attack on Excel files; Microsoft patched this in MS06-037.
And now, in July, after Microsoft patched 18 flaws, someone has
released a zero-day attack on PowerPoint files. Microsoft says it'll
patch this flaw on the next Patch Tuesday. However, within the last
few days, we've seen at least three distinct backdoor Trojans using
the PowerPoint flaws, with more Trojans possible before Aug. 8 this
Should home users worry? Not yet. These PowerPoint Trojans are not
broadcast scattershot across the Internet like the large-scale virus
attacks we've all grown to expect during the summer. Instead, these
Trojans are targeted so that the victim companies won't realize
they've been hit until after the fact. The bad guys are taking
advantage of the common practice of sending and receiving Office
files, making their poisoned e-mail look like legitimate interoffice
To do so, the bad guys have to be sophisticated; they have to be
organized. One uses Google to research target companies, perhaps
identifying legitimate e-mail groups within a target. Using a process
known as spear-phishing, a criminal hacker can fashion an internal
e-mail with subject lines like "Here are the Q1 sales figures," and
the e-mail might be sent to "sales team alpha" from "sales internal."
Someone receiving that e-mail wouldn't necessarily suspect the Excel
to be poisoned.
Meanwhile, another individual bad guy (or a group of others) looks for
unreported vulnerabilities. Not every vulnerability that's found can
be exploited, and not every exploit lends itself to the type of crime
that's profitable. Yet another person crafts a Trojan horse. And so
on. The current crop of PowerPoint Trojans have been broadcasting
captured keystrokes and other data to addresses within the 8800.org
domain, a Chinese Web hosting site, but that could easily be a dead
So is the solution not to open any e-mail attachments? Have the
villains finally won? No. Remember, the criminal hackers have been
sending these to targeted companies, so, unlike the situation with the
Melissa virus, interoffice Word documents, in general, ought to be
safe. Antivirus vendors, with their vast networks of reporting
desktops worldwide, are the ones discovering these corporate-espionage
Trojans. As long as your antivirus protection is up-to-date, you
should get protection within a few hours or days of a new zero-day
threat. As for the companies under attack, they need to be wary of
attachments and wait for Microsoft to patch these latest PowerPoint
Biography: Robert Vamosi is a senior editor for CNET Reviews.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.