Virus writers seem to be making the rounds of the Office applications. Word and Excel have both been hit with exploits, and now PowerPoint is the target of a zero-day vulnerability, although it uses the same modus operandi as so many other viruses.
Symantec’s virus hunters have dubbed the virus Trojan.PPDropper.B, while other antivirus makers are likely dissecting it as well. It follows a well-worn pattern: an email arrives from an unknown source, in this case from a Gmail account, and has a PowerPoint file attached. The email has Chinese characters in it, which would indicate its origins are in Asia.
Once again, it counts on the end user to be dumb enough to open an attachment from an unknown source. Should you be that dumb, it executes a variant of a known keystroke logger that is used to steal personal information and send it back to a remote server. The virus then overwrites the malicious PowerPoint file with a new clean copy of the document to cover its tracks.
More disturbing than the virus is the pattern it follows. For the second time in as many months, this virus comes within days of Microsoft’s monthly patch releases. Last month, a zero-day Excel exploit hit the Internet just one day after the monthly patch release.
“This ensures the maximum amount of time for the maximum number of unpatched machines,” said Randy Abrams, director of technical education at Eset Software, an antivirus software developer. “There is money behind this stuff. For the old style of virus writer, it didn’t matter when they released something, but for organized crime, maximizing access to vulnerable machines is the name of the game.”
In a statement, Microsoft said it is investigating the reports and will “take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.”