Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

New Malware Downloader Can Infect PCs Without A Mouse Click (engadget.com) 151

An anonymous reader quotes Engadget: You think you're safe from malware since you never click suspicious-looking links, then somebody finds a way to infect your PC anyway. Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer even if you don't click anything. All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file. According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation. The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script.
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
This discussion has been archived. No new comments can be posted.

New Malware Downloader Can Infect PCs Without A Mouse Click

Comments Filter:
  • No Clicks! Wow! (Score:5, Interesting)

    by Anonymous Coward on Sunday June 11, 2017 @02:40PM (#54597483)

    So, I receive a suspicious email, which I need to click on to open. That email contains a PowerPoint attachment, which I need to click on to open. Once done, I can be infected with a mouse-over rather than a click.

    Zero-click malware. Meh.

    • How many clicks does it take for those of use who do not own or use PowerPoint either personally or professionally?
      • by Anonymous Coward on Sunday June 11, 2017 @03:29PM (#54597655)

        1... 2... 3. It takes three clicks to get to the center of a PowerPoint.

      • "How many clicks does it take for those of use who do not own or use PowerPoint"

        Exactly that.

        "Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer"

        Does it installs into my computer or into my *windows* system?
        (once again)

      • by Anonymous Coward

        How many clicks does it take for us who don't yes or own PowerPoint, don't click on spam, and won't open powerpoint attachments even if it came out of the blue from friends? (Simply because we know our friends don't use powerpoint either, and we'd have no way to view the file even if we were to try to open it.)

        End of the day: Microsoft has shitty security in their file formats and programs still.

    • Re:No Clicks! Wow! (Score:5, Insightful)

      by rudy_wayne ( 414635 ) on Sunday June 11, 2017 @02:54PM (#54597535)

      Meanwhile, the two biggest problems are ignored.

      Problem 1 - User stupidity. You get an e-mail with a "finance-related" subject, such as 'Invoice' or 'Order #'. But there's a Powerpoint file attached. Since when are legitimate invoices sent as Powerpoint files?

      Problem 2 - Microsoft stupidity. The ability of Powerpoint to run an external executable file (in this case powershell) is a HUGE design flaw that has become a major source of malware distribution.

      • by Anonymous Coward

        "Problem 1 - User stupidity" And you have just provided a real world example of Problem #1 with your assertion in Problem #2.
        Being able to execute power shell scripts from within Powerpoint provides functionality that a lot of people use for a lot of different reasons. That functionality is not a design defect. If it is a design defect than every single application object capable of invoking external scripts and executables are also design defects.

        And I am continually amazed with statements such as "Micro

        • Re:No Clicks! Wow! (Score:5, Insightful)

          by Darinbob ( 1142669 ) on Sunday June 11, 2017 @04:59PM (#54598049)

          But it is a fundamentally stupid idea. There is no need for it. So what if some users want it, let them use a plug in or other tool if they insist on automatically executing code received over the network.

        • by Gr8Apes ( 679165 )

          And I am continually amazed with statements such as "Microsoft stupidity". If MS is as stupid and as bad as the OS and App evangelicals claim how do you explain their dominance, success, and profitability? If their product line has been so obviously bad how did they achieve their success?

          You only need to look at some of the anti-monopolistic practices MS has been convicted of to answer your questions. For a couple of others, like Netscape, yeah, they pretty much screwed themselves.

          • by lucm ( 889690 )

            You only need to look at some of the anti-monopolistic practices MS has been convicted of to answer your questions.

            Like having a proprietary web browser included in their proprietary o/s?

            I wonder if any other company does that.

            • by Anonymous Coward

              No. Like having a proprietary web browser which is embedded deeply into the OS. Teach me how to uninstall IE on modern Win OS, it is impossible because some functionality is required by the OS itself.

            • by Gr8Apes ( 679165 )
              Are any other companies monopolies and taking out the existing dominant players?
        • Re: (Score:2, Insightful)

          by runningduck ( 810975 )

          Your comment demonstrates your complete lack of understanding regarding what it takes and what occurred to achieve market dominance not to mention what constitutes sound software architecture.

        • by gl4ss ( 559668 )

          *That functionality is not a design defect. If it is a design defect than every single application object capable of invoking external scripts and executables are also design defects.*

          the design defect is that it's not running them in a sandbox. it very well might be running them in a sandbox and the script uses a defect in the system to break out(most likely). possibly that part links to the link preview functionality since you need the action to sprout out from a mouse hover(if it didnt need that they wou

      • A recent case relayed malware using your contact list and the Subject "sad news". Who would not be tempted to read that piece of mail? More obvious attempts like a free Amazon coupon from a non-Amazon return address address are easy to ignore.
    • Back in the day (yesterday?) just opening a word or excel document could infect you.. This "novel" approach is really taking a step backwards for malware.
      • by mspohr ( 589790 )

        Interesting that Microsoft hasn't fixed this problem... but then, it's Microsoft.
        Maybe they thought that the malware people weren't smart enough to use PowerPoint.
        (I assume that this doesn't work in LibreOffice or OpenOffice or on OSX or Linux... just the lucky stupid Windows users.)

    • So, I receive a suspicious email, which I need to click on to open.

      And before that, you need to click on your browser or e-mail client.
      And before that, you need to click to log into the computer.
      And before that, you need to push the physical power button.

      Zero-click malware. Meh.

      Except that random joe 6 pack user...
      ...does click on any e-mail, because that's what they are used to.
      ...also recognizes PowerPoint file as one of the few "safe" attachment that they can open.

      In other words: all the clicks that a normal user will accomplish in this infection are normal regular action that they do on an ev

    • So, compared to the Word-Macro trojans, where it's enough to just open a file, you now have to hover the mouse over a link after opening it for infections to happen?

    • by e70838 ( 976799 )
      does it work also with powerpoint viewer on wine ?
    • Oh, don't forget to allow powershell scripts to run.

    • Hurray for alarmist bullshit! You know what's even worse? Past PDF and DOC viruses that just needed you to open the file and not hover over anything.
    • Exactly... you must be stupid enough to open the e-mail, then open the PPT... but look... you do not need to click the hyperlink to get infected... Good Lord!!
  • by K. S. Kyosuke ( 729550 ) on Sunday June 11, 2017 @02:43PM (#54597497)

    The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script.

    Sooo...the file opens itself without clicking, too? Or how exactly does that work?

  • by Anonymous Coward

    .... don't use Microsoft crap... ever. Really. And if you have to at work, so be it, but don't use it on your home devices.

    • by Creepy ( 93888 )

      That would be nice... but the VPN software I use to access work from home is only free to me for Windows :\

      They actually have mac and Linux clients, but I have to pay $300+ for them (I know some Linux and mac diehards that did). Screw that, I can run Windows in a VM for far cheaper.

  • Who would have guessed? PowerPoint files don't open without clicking.

  • This just in... (Score:5, Insightful)

    by green1 ( 322787 ) on Sunday June 11, 2017 @02:50PM (#54597521)

    Opening suspicious files is still dangerous.
    Who woulda thought?

    As others have pointed out, this "no click" malware requires you to download and open a malicious powerpoint file, and then hover over the link contained in the file before it can infect you.
    If anything, this seems far LESS of a risk than many other attack vectors that also require opening malicious file attachments in email. (usually opening the installer itself instead of a powerpoint file)

    That said, WTF powerpoint? who makes a mouseover capable of downloading and installing something? c'mon guys, how stupid do you have to be to allow this sort of behaviour in your file format?

    • by mspohr ( 589790 )

      Microsoft is the company which is stupid enough to allow a mouseover to download and install software.
      You don't have to ask how stupid Microsoft is.

    • Clickbait article does mention that "newer" office versions may offer yet another barrier to infection. However, it conveniently omits to mention that the feature which prevents the script from running even if you view the file in Powerpoint is called Protected View, and has been available and enabled by default since Office 2010 [office.com] !!!

      When downloading files through a browser or receiving it through an email client, the file is "tainted" with a zone identifier that indicates that the file has been received fr

    • ...how stupid do you have to be to allow this sort of behaviour in your file format?

      Who's stupider: the company that continuously and intentionally programs severe defects into its products, or the people who continuously and intentionally lock themselves into those products despite knowing this?

      • by green1 ( 322787 )

        I'm not defending the users either, but I don't see it changing as long as software companies are not held responsible for their actions.

    • by houghi ( 78078 )

      Opening suspicious files is still dangerous.
      Who woulda thought?

      Everybody on /. knows that. Each single person on /. is aware of that. However not everybody is on /. There are plenty of users out there that have no idea how things work. They know that suspicious files are dangerous. Yet they are unable to determine how dangerous the things are compared to the dangers of not paying bills and getting fired because of that or be in debt.

      People are pretty bad at evaluating dangers. Just look at how politics talk

      • by green1 ( 322787 )

        Everybody on /. knows that. Each single person on /. is aware of that. However not everybody is on /.

        And yet the article is on Slashdot, so it seems unlikely that it being here will have much effect on those who are not.

        Also, had you actually read my comment, you'd notice that I'm not blaming the victims, I'm blaming Microsoft for making such an idiotic decision, while at the same time stating that this particular issue is no worse (and probably much less dangerous) than the normal attack vector of simply sending the victim an installer file in the first place. After all, if they're going to click on a sus

  • by RyanFenton ( 230700 ) on Sunday June 11, 2017 @02:54PM (#54597533)

    Friends don't let friends install Microsoft Office.

    Seriously - once you've got someone to open anything in MS Office, the scripting allowed in those formats means that few vulnerabilities are a very large surprise. That, and if you've ever had to work for a client that demands a large degree of Office interop or automation, you become acutely aware of how messy those formats have become over the years.

    Don't get me wrong, in 'friendly' settings, it's got a nice set of features, and there's a reason that many folks allow their careers to be tied into it - but it's not a tool you want anything internet-related to connect to in any way, if you can help it. You're potentially handing over the keys to your computer when you open any of those formats from a potentially unfriendly source.

    At least lock it behind a virtual system if you're going to open anything from the random internet.

    Ryan Fenton

    • Friends don't let friends install Microsoft Office....

      Back in the beginnings of Windows, I was always of the opinion that Microsoft was more interested in features and less interested in security. iow, new features = worth the investment, new security = not worth the investment. I would have thought that Microsoft would at least know better by now. But it still appears they do not.

    • Friends don't let friends install Microsoft Office.

      No one installs office. They buy computers with it pre-installed or get given them through work.

  • I don't have a mouse I have a track-pad on one machine and one with a clitoris stick.

  • by Anonymous Coward

    It's a good day to own a Mac!

    • Does it work with PowerPoint for Mac, available from the App Store?

      • I would imagine you could do the same with a Bash script instead of PowerShell, but no, this implementation uses PowerShell, which is a Windows thing.
  • Windoze duh (Score:3, Insightful)

    by fnj ( 64210 ) on Sunday June 11, 2017 @03:42PM (#54597715)

    Smells like Windoze crap to me. Linux and BSD are the fixes for this.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I wish people would stop posting that. There is nothing technical about Linux to prevent exactly the same thing from happening. The reason it isn't happen as much on Linux are because Linux users are usually more technically proficient, haven't demanded "auto-run" features all over the place, and don't fall for fishing attacks nearly as often.

      If Linux saw the infusion of technical illiteracy that Windows has had, all these things would be happening to Linux too, because the market would demand endless sim

      • by mspohr ( 589790 )

        "... nothing technical about Linux to prevent exactly the same thing from happening."
        Except that Linux has a robust security framework which will prevent it from installing random stuff in an email attachment whereas Windows is just crap.

    • BSD is malware. I installed it once and all my games stopped working. Like completely stopped! I couldn't even double click the exe. No crash, nothing. They just wouldn't even launch.

      Never again!

  • by shellster_dude ( 1261444 ) on Sunday June 11, 2017 @04:22PM (#54597875)
    Even after you open the Powerpoint and hover over the link, you will still be prompted with a scary prompt to Allow the WSF or JS(E) or VB(E) or ..., so you still have to click at least once.
  • by viperidaenz ( 2515578 ) on Sunday June 11, 2017 @04:48PM (#54597995)

    If you're using an Office product older than Office 2010.
    Since then you need to click "Enable" or "Enable All (not recommended)" to on the security prompt to allow the script to run.

    So yes, no clicks if you're using Office 2007 or earlier.

  • PowerPoint is still a thing? Well than you can't be helped anyway.
  • Most MS Office exploits I remember would run as soon as you opened the file. It's nice to see that Microsoft have managed to get their security to the point where it is at least necessary to interact with the file once opened to trigger the exploit...

  • It's a powershell macro that does the dirty work. Is it subject to the computer's powershell execution policy? I really wish they would have mentioned that somewhere.
  • ...and how does this affect my PC running UNIX? Really? Not at all, you say? So... fake news?
  • Most malware attacks can be described based on platform and vector of attack. From what has been described here, I am going to guess (because it is not specified) that we are talking a Windows OS running on (likely) an x86/x86-64 architecture with some version of PowerPoint and PowerShell installed. The vector is malicious file that you have to copy/download, open, and hover. Ninety-nine percent of all malware is limited is limited by platform just due the nature of vulnerabilities and the code it takes to

The trouble with opportunity is that it always comes disguised as hard work. -- Herbert V. Prochnow

Working...