새로운 댓글
This is Frequently Asked Questions document about new zero-dayvulnerability in Microsoft PowerPoint. The document describes relatedmalwares and e-mails attacks as well.
- Several updates done on 15th Jul, 2006.
Q: What is Microsoft PowerPoint 0-day vulnerability?
A: This previously unknown vulnerability is caused by an unknown errorwhen processing malformed PowerPoint documents. The detailedcharacteristics is not publicly known, but the component beingexploited is mso.dll (a shared Office library). Vulnerability wasdisclosed via malware descriptions informing new Trojan exploitingundocumented vulnerability in PowerPoint. This flaw has been used inseveral e-mail attacks against unknown organizations. Microsoft hasconfirmed these “very targeted” attacks.
Q: How does the vulnerability work?
A: The vulnerability is code execution type vulnerability. Attackersuccessfully exploiting this vulnerability can run code of his or herschoice in the affected machine. Executing arbitrary code is done withthe recent privileges of logged user. It is known that keylogger andbackdoor features are included to malwares exploiting thisvulnerability. Additionally, vulnerability is caused due to memorycorruption triggered by a specially drafted string in PowerPoint file.
Q: When this vulnerability was found?
A: The first malware description was published on Wednesday 12th July.Microsoft confirmed the existence of vulnerability on 13th July andofficially in MSRC Blog on 14th July. There is information aboutsamples received by one AV vendor on 11th July already.
Q: Is this one of the critical vulnerabilities reported on 11th July with MS July Security Bulletins?
A: No. This is new, unpatched vulnerability. Vulnerabilities fixed in MS06-038 etc. are different issues.
Q: What Windows versions are affected?
A: Microsoft PowerPoint installations used is Windows 95, Windows 98,Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003Server systems are reportedly affected.
Q: What PowerPoint versions are affected?
A: There is no official information about affected versions yet. Somevendors list PowerPoint versions 2003, 2002 and 2000 as affected.Several vendors list Office 2000, Office XP (2002) and Office 2003 asaffected too.
UPDATE: New PoCs posted to public mailing list has been tested against PowerPoint version 2003.
Q: Is PowerPoint Viewer utility affected too?
A: There is no official information about this yet. One security advisory lists PowerPoint Viewer 2003 as affected.
Q: Is Microsoft Works Suite affected too?
A: At time of writing there is no official information about this yet.
Q: Is Microsoft PowerPoint for Mac affected in this vulnerability?
A: There is no official information about this. US-CERT lists Mac versions affected too.
Q: Where are the official Microsoft documents related to this case located?
A: Documents published by Microsoft are located at Microsoft SecurityResponse Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx.The possibly upcoming security advisory will be published at MicrosoftSecurity Advisories section of Microsoft TechNet Security site. Theaddress of advisory section is www.microsoft.com/technet/security/advisory/default.mspx.
Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software and check that virus signature files are up-to-date.
Q: Is the exploit code of this vulnerability publicly released?
A: UPDATE: Yes. Three separate Proof-of-Concept has been posted topublic, non-moderated and moderated security mailing lists on 15thJuly. These PoCs has been tested against PowerPoint version 2003.However, it is reported that these PoCs demonstrate new, differentvulnerabilities.
Q: Is there PoC-type sample file of this vulnerability publicly available?
A: No.
Q: Is it safe to open any .PPT files any more?
A: It is very important not to open PowerPoint files from unknownsources. However, files from familiar sources can cause an infectiontoo if a spoofed e-mail is being used.
Q: Are there any visual effects informing about the infection?
A: Yes. The title page (dia) shows Chinese characters when a maliciousPowerPoint document is opened. Screenshot of the first page is includedto Sophos document related to this vulnerability (see related itemlater). The background colour in PowerPoint presentation used is blackand the text colour is white, in turn.
Q: Are there any changes to file system made by related Trojan malware?
A: Yes. Files rtfmsv.exe and regvrt.exe are being copied to the Windows System folder when the malicious .PPT attachment is opened.
Q: What are the Registry keys used?
A: Modifications are done under HKCU\Software\SKavx\.
Q: Are there any special features included to the way how this new Trojan works?
A: Yes. It can inject itself to Explorer process.
Q: What are the names of malwares exploiting this vulnerability?
A: Reportedly there is one Trojan and one dropper component for this malware. The following names are used:
Backdoor.Bifrose.F [Trojan]
Trojan.PPDropper.B [dropper]
BKDR_BIFROSE.DS [Trojan]
TROJ_MDROPPER.AS [dropper]
BackDoor-CEP [Trojan]
Exploit-PPT.b [exploit]
Troj/Edepol-C [Trojan]
Bifrose.UZ [Trojan]
Backdoor:Win32/Bifrose!E029 [Trojan]
W32/Bifrose.UZ [Trojan]
The list is very coverage. There are some W32/Bifrose based names in use too.
Q: My AV vendor doesn’t list these names at their Web pages. How do I know my AV software protects me?
A: It’s possible that anti-virus software has protection to thisthreat, but malware database at their Web page doesn’t include specificwrite-up yet because of beginning weekend, holiday season etc. The bestway is to check the situation from your AV vendor.
Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has been released the following Diary entry: isc.sans.org/diary.php?storyid=1484
Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.
Q: Does Windows Live Safety Center detect this malware?
A: UPDATE: Yes. According to new MSRC Blog posting there is detection added now.
Q: What is the file attachment name used in attacks mentioned?
A: Name including Chinese characters was used. The attackers can useother names in the future too, because the information about the formatof the name used is publicly known.
Q: Is there information about file size used?
A: UPDATE: Yes. The size of the PowerPoint file is 220,160 bytes. Additionally, the .PPT file includes 18 slides.
Q: What is the sender address in use?
A: Reportedly gmail.com addresses has been used.
Q: Are the names of the recipients shown in message including malicious PowerPoint attachment?
A: No. Only name ‘Undisclosed-Recipient:’ used widely in phishing e-mails etc. was used.
Q: What is the Subject line of e-mails sent in attacks mentioned?
A: Chinese characters has been used.
Q: What is the contents of the PowerPoint presentation?
A: Sophos has a short translation of two first pages located at
www.sophos.com/pressoffice/news/articles/2006/07/chinesewords.html
Q: Is any user interaction when opening malicious PowerPoint file?
A: No. Opening a malformed PowerPoint file triggers a vulnerability.
Q: Is it safe to open PowerPoint presentations coming from trusted, known sender during next days?
A: The answer is yes and no. If your anti-virus software is updated itwill protect you. If you want protection of one hundred percent you cansave presentations first and scan them with your AV software.
These days you can’t trust that the sender information included tomessage PowerPoint file attached is truthful. If You are not sure, Youcan always call to the sender if e-mail including .PPT attachmentsarrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Power Pointfiles as embedded files to Microsoft Word files, or Microsoft Excelfiles.
Q: Is it possible that malicious PowerPoint files (.PPT file extension etc.) are located at Web pages too?
A: Yes. It is possible that attacker can locate malformed PowerPoint files to Web pages too.
Q: Does the filtering PowerPoint documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.
Q: When the fix to this vulnerability is expected?
A: It is impossible to say. Normally Microsoft security advisoryincludes information about the fixing timeline of unpatchedvulnerabilities. The next monthly security updates are scheduled to 8thAugust, 2006.
Q: Is there CVE name available to this vulnerability?
A: Yes, CVE name CVE-2006-3590 was assigned on 14th July. Link to the CVE document is cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3590.
Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: At time of writing there is no information about rootkit functionality included.
Q: Is there other payload than backdoor and keylogging functionality included to Trojan malware?
A: Yes. Reportedly this Trojan horse may attempt to disable AV(anti-virus) software. Additionally, it sends system information to theremote Web site. This can help attacker in future attacks.
Q: Is there information about the origin of related malware authors?
A: No. It is known that one of the target Web sites used in attacksmentioned is located in Hong Kong, China. Some target sites are locatedin the USA, however.
(c) Juha-Matti Laurio, Finland (UTC +3hrs)
-UPDATE-:MSRC Blog posting states Microsoft has activated their securityresponse process and they have added detection to the Windows LiveSafety Center.
Revision History:
1.0 14-07-2006 Initial release
1.1 14-07-2006 Added information about Registry keys used
1.2 14-07-2006 Added Trojan descriptions and information about translation of PPT file contents
1.3 14-07-2006 Added CVE name. Some minor updates.
1.4 15-07-2006 Added information about Windows Live Safety Center protection and PoCs posted to public mailing list
1.5 15-07-2006 Several updates and fixes, added new items
Thanks to Internet Storm Center handler Bojan Zdrnja for his comments to this FAQ document.
댓글,