Event innocent-looking files can hide a piece of malware

Jun 4, 2012 13:34 GMT  ·  By

It’s not uncommon for internauts to come across shady-looking emails that bear .exe, .zip, or .pdf files which hide some sort of malicious plot. However, it’s rather unusual to find a Microsoft PowerPoint presentation that embeds a Flash file which hides an exploit.

Experts from Trend Micro’s TrendLabs have come across such a PowerPoint document, identified as TROJ_PPDROP.EVL, which, once it’s executed, attempts to exploit known Flash Player vulnerabilities in order to drop a backdoor on the victim’s computer.

Let’s take a look at how the attack works.

First, when the .ppt file is executed, a shellcode within the Flash file is triggered. If it finds the security hole it’s looking for, winword.tmp, which is actually the backdoor, is copied into the Temp folder.

In the meantime, a clean PowerPoint presentation is dropped. This technique has been seen in other malicious campaigns in which the victim is presented with a legitimate .pdf or Word document in order to avoid raising any suspicion.

The backdoor, named by Trend Micro BKDR_SIMBOT.EVL, connects to remote locations to communicate with its master who can order it to download and execute other, even more dangerous, pieces of malware.

“This finding highlights two things. First, exploits created for reliable vulnerabilities remain effective cybercriminal tools. Second, most users do not regularly update their systems’ with the latest security patch, which explains why attackers are continuously exploiting these bugs,” Cris Pantanilla, threat response engineer at Trend Micro, said.

He has also highlighted the fact that most cybercriminals are improving their game by hiding their malicious elements inside ordinary documents and spreadsheets, instead of leaving them out in the open as executable files.

The problem with PowerPoint presentations and other apparently harmless formats is that users tend to trust them. However, as we can clearly see in this example, the rule “if it’s not a .exe, it can’t be a virus” doesn’t apply anymore.