Chinese Hackers Launch New Office Attack

Chinese Hackers Launch New Office Attack
Chinese Hackers Launch New Office Attack 

By Gregg Keizer
Dec 27, 2006

A Microsoft PowerPoint presentation circulating via e-mail is the latest 
example of a 2006 trend in which paid-for-hire Chinese hackers target 
Western businesses with malicious Office documents, a security 
researcher said Wednesday.

The newest threat, said Ken Dunham, director of VeriSign iDefense's 
rapid response team, hides within an apparently innocent PowerPoint 
slide show, "Christmas+Blessing-4.ppt," which is attached to an e-mail 
message. The PowerPoint file, which circulated sans exploits last year 
around Christmas, has been making the rounds since Sunday.

"The reality is that this is a very popular file," said Dunham, "and 
poorly detected by most antivirus scanners." However, some security 
companies, including F-Secure, have created signatures to sniff out the 

More important is that Christmas+Blessing-4 shares characteristics with 
the Office document-based attacks that began seven months ago. "This is 
very similar to other Office attacks from May and June," Dunham said. 
"It's a targeted attack, this time [against a company] in the public 
utility sector."

Other Office document exploits--which included ones leveraging zero-day 
vulnerabilities in Word, Excel, and PowerPoint--also were limited in 
scope. But that doesn't make them less dangerous, said Dunham. "This 
kind of attack will be one of the most concerning during 2007. It will 
be the one that keeps CEOs up at night."

Unlike those earlier attacks, Christmas+Blessing-4 is not a zero-day 
exploit taking advantage of a vulnerability that hasn't been fixed. "It 
doesn't work on fully patched computers," Dunham said. After a user 
opens the PowerPoint file, a variant of the "Hupigon" backdoor Trojan 
horse is installed on the PC. The Trojan then silently adds two 
additional files, "msupdate.dll" and "sdfsc.dll," to the system.

IDefense said that the crew responsible for the newest Office attack was 
Chinese, another similarity with the summer's Word and Excel exploits. 
Calling the writers "hackers for hire," Dunham said that the rapid shift 
in China from politically motivated attacks to for-profit hacks is "a 
cause for concern."

"They're getting paid a whole lot of money," Dunham said. "The 
capitalist attitude is infiltrating Chinese hackers."

Dunham recommends that users patch their systems--Microsoft Office 
applications as well as Windows--and refuse to open unsolicited 
PowerPoint files, especially any attached to e-mails with the subject of 
"Merry Christmas to our hero sons and daughters!"

Warned Dunham, "If you're not patching promptly, you can expect attacks 
in 2007."

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods