“Will the world end?”, Sudoko docs laced with macro malware
- — 21 December, 2012 08:55
A gang has laced a PowerPoint presentation about the end of the world with malware, preying on widespread interest in the Mayan prediction it will happen tomorrow.
Researchers at security vendor Sophos this week discovered a malware-rigged version of a presentation by a US preacher titled “Will the world end in 2012?”. While the contents of the document were the preacher’s words, a rigged a version attempts to infects readers with what appears to be semi-formed malware.
The document by the preacher answers the question with a series of failed doomsday predictions, including a reference to Nostradamus’ claim the end would happen in 2000, which the author associated with computer “chaos” that was thought would be caused by the so-called Y2K bug .
The malware version of the presentation contains a macro -- a sequence of instructions -- that creates a Visual Basic file executable that is designed to download another executable, Wmupdate.exe.
The malware appeared to be “automatically generated” and did not in Sophos’ tests actually download the second component, suggesting it was not properly developed.
Nonetheless, Sophos says the methods were very similar to another piece of malware attached to an Excel file that is a generator and solver for popular number placement puzzle, Sudoku. The malware samples were “functionally identical”, its researchers said.
The Sudoku malware however had an edge over the doomsday malware. Both samples rely on macros in Visual Basics to create malware, but the Sudoku example attempts to trick potential victims into enabling the malware-generating macro in Visual Basics with the lure that doing so will allow them to generate Sudoku puzzles.
Sophos notes that macros were a popular tool for cybercriminals back in the 1990s until Microsoft turned the capability off by default to counter its misuse.
“It sounds perfectly reasonable, doesn't it? Generating Sudoku puzzles requires a program; to run the program requires macros,” said a Sophos representative.
The Sudoku malware sends a list of programs and services running on the victims’s PC, the PC’s location and and details about the hardware, operating system and patches.