Chinese Data Theft via PowerPoint Vulnerability Exploit

Symantec warns that a Zero-day exploit of PowerPoint vulnerability allows for the compromised computers to be used in data theft attacks. A malicious PowerPoint file infects the machine with Trojan.PPDropper.C that drops additional malware in the form of Backdoor.Bifrose.E and Trojan.Riler.F. The two Backdoor Trojans allows remote access to a potentially compromised computer.

Backdoor.Bifrose.E is a keylogger that connects to pukumalon.8800.org a free host service on a China based server. All the data recorded by the keylogger is transmitted to the remote server.

"Trojan.Riler.F is a back door Trojan horse that installs itself as a layered service provider (LSP), and allows a remote attacker to have unauthorized access to the compromised computer. It is dropped by Trojan.PPDropper.C. When Trojan.Riler.F is executed, it creates the files: "%System%SNootern.dll" and "%System%uidmngr.ini", installs the file SNootern.dll as a layered service provider (LSP) and creates the following registry subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9," describes Symantec.

Trojan.Riler.F also connects to soswxyz.8800.org, permitting access to al data stored or trafficked through the compromised computer. Microsoft has already announced that the PowerPoint vulnerability will not be patched until August 8.