New Malware Downloader Can Infect PCs Without A Mouse Click (engadget.com) 151
An anonymous reader quotes Engadget:
You think you're safe from malware since you never click suspicious-looking links, then somebody finds a way to infect your PC anyway. Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer even if you don't click anything. All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file. According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation. The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script.
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
No Clicks! Wow! (Score:5, Interesting)
So, I receive a suspicious email, which I need to click on to open. That email contains a PowerPoint attachment, which I need to click on to open. Once done, I can be infected with a mouse-over rather than a click.
Zero-click malware. Meh.
Re: No Clicks! Wow! (Score:2)
Re: No Clicks! Wow! (Score:5, Funny)
1... 2... 3. It takes three clicks to get to the center of a PowerPoint.
Re: (Score:2)
Did you factor in double clicks?
Re: (Score:3)
"How many clicks does it take for those of use who do not own or use PowerPoint"
Exactly that.
"Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer"
Does it installs into my computer or into my *windows* system?
(once again)
Re: (Score:1)
How many clicks does it take for us who don't yes or own PowerPoint, don't click on spam, and won't open powerpoint attachments even if it came out of the blue from friends? (Simply because we know our friends don't use powerpoint either, and we'd have no way to view the file even if we were to try to open it.)
End of the day: Microsoft has shitty security in their file formats and programs still.
Re:No Clicks! Wow! (Score:5, Insightful)
Meanwhile, the two biggest problems are ignored.
Problem 1 - User stupidity. You get an e-mail with a "finance-related" subject, such as 'Invoice' or 'Order #'. But there's a Powerpoint file attached. Since when are legitimate invoices sent as Powerpoint files?
Problem 2 - Microsoft stupidity. The ability of Powerpoint to run an external executable file (in this case powershell) is a HUGE design flaw that has become a major source of malware distribution.
Re: (Score:1)
"Problem 1 - User stupidity" And you have just provided a real world example of Problem #1 with your assertion in Problem #2.
Being able to execute power shell scripts from within Powerpoint provides functionality that a lot of people use for a lot of different reasons. That functionality is not a design defect. If it is a design defect than every single application object capable of invoking external scripts and executables are also design defects.
And I am continually amazed with statements such as "Micro
Re:No Clicks! Wow! (Score:5, Insightful)
But it is a fundamentally stupid idea. There is no need for it. So what if some users want it, let them use a plug in or other tool if they insist on automatically executing code received over the network.
Re: (Score:2)
And I am continually amazed with statements such as "Microsoft stupidity". If MS is as stupid and as bad as the OS and App evangelicals claim how do you explain their dominance, success, and profitability? If their product line has been so obviously bad how did they achieve their success?
You only need to look at some of the anti-monopolistic practices MS has been convicted of to answer your questions. For a couple of others, like Netscape, yeah, they pretty much screwed themselves.
Re: (Score:2)
You only need to look at some of the anti-monopolistic practices MS has been convicted of to answer your questions.
Like having a proprietary web browser included in their proprietary o/s?
I wonder if any other company does that.
Re: (Score:1)
No. Like having a proprietary web browser which is embedded deeply into the OS. Teach me how to uninstall IE on modern Win OS, it is impossible because some functionality is required by the OS itself.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2, Insightful)
Your comment demonstrates your complete lack of understanding regarding what it takes and what occurred to achieve market dominance not to mention what constitutes sound software architecture.
Re: (Score:3)
*That functionality is not a design defect. If it is a design defect than every single application object capable of invoking external scripts and executables are also design defects.*
the design defect is that it's not running them in a sandbox. it very well might be running them in a sandbox and the script uses a defect in the system to break out(most likely). possibly that part links to the link preview functionality since you need the action to sprout out from a mouse hover(if it didnt need that they wou
when they use your mail contacts list (Score:2)
Re: (Score:2)
Re: (Score:3)
Monday June 12, 2017
I now no longer reply to AC posts. 2017/06/04
> Replies to AC post.
Re: No Clicks! Wow! (Score:2)
Re: (Score:2)
I can make exceptions to my own rules
Then it ain't rules.
you seem to be following me around
You wish. Are you lonely or something?
Re: (Score:2)
Re: (Score:2)
I'll take that for a 'yes'. Sorry to hear it.
Re: (Score:2)
Re: (Score:2)
Yes, I follow you around, and then I specifically reply to *your* comments. I rolled some dice to obtain the next uid to dedicate 30% of my comments last week to, and it was yours.
It absolutely can't be just coincidence, or the fact that I often don't bother commenting unless I stumble upon something outstandingly stupid, and you just happened to be a lot of that last week.
It's funny though how this shows how badly you want a little attention.
Re: No Clicks! Wow! (Score:2)
Re: (Score:2)
think whatever you want about me
There's the issue. I don't think anything about you (*). I usually don't even look at the name of whoever I'm replying to. So you can stop right there.
(*) Of course, after *this* conversation, I'm convinced you're egocentric, obnoxious and pretty much what I'd put in the "idiot" drawer. But hadn't you pointed it out to me, I hadn't even known about you, nor about that fascinating 30% number. Speaking of "nothing better to do"...
Re: (Score:2)
> Claims they don't look at usernames
Right-o, then.
Re: (Score:2)
> Misrepresents what was said to appear to have an argument
> Pulls it off ham-fistedly and only demonstrates massive reading comprehension issues.
Look out for big words like 'usually' and real long difficult phrases like 'of whoever I'm replying to'. If you need it spelled out, it was your *sig* I looked at, and made me check the pare--- how can you possibly need this explained?
Re: No Clicks! Wow! (Score:2)
Re: (Score:2)
I don't think you find this entertaining, but I do see how pretending I'm trying to troll you is the only way to avoid confronting yourself with your own stupidity. Way to bullshit yourself.
Re: (Score:2)
Re: (Score:2)
So fulfilling, you imagine being stalked on slashdot and start wading through my comments (I suppose the irony is lost on you here) to count how many are replies to yours.
You being happy I have absolutely no issues believing -- that's actually pretty common (see that other guy here with that "Happiness in intelligent people is the rarest thing I know" quote in his sig.). One might think it'd be depressing to be stupid, but (as seems to be the case with you too) stupid people tend to not realize they're stu
Re: (Score:2)
So fulfilling, you imagine being stalked on slashdot and start wading through my comments (I suppose the irony is lost on you here) to count how many are replies to yours.
I wouldn't really say I waded through them, I didn't even get through the first page. Keep deluding yourself. I'm not the one who has nothing better to do than follow after people on the internet to tell them I think they're stupid.
Re: (Score:2)
Re: (Score:2)
Interesting that Microsoft hasn't fixed this problem... but then, it's Microsoft.
Maybe they thought that the malware people weren't smart enough to use PowerPoint.
(I assume that this doesn't work in LibreOffice or OpenOffice or on OSX or Linux... just the lucky stupid Windows users.)
End user training. (Score:2)
So, I receive a suspicious email, which I need to click on to open.
And before that, you need to click on your browser or e-mail client.
And before that, you need to click to log into the computer.
And before that, you need to push the physical power button.
Zero-click malware. Meh.
Except that random joe 6 pack user...
...does click on any e-mail, because that's what they are used to.
...also recognizes PowerPoint file as one of the few "safe" attachment that they can open.
In other words: all the clicks that a normal user will accomplish in this infection are normal regular action that they do on an ev
Re: (Score:2)
Re:End user training. (Score:4, Interesting)
Re: (Score:2)
Yes, but how is this new. I.e. NEWSworthy?
"Invoice" trojans are hardly anything that has never been seen before. From "invoice.exe.pdf" to macro virus in Word and Excel files. The new part is, essentially, that you now ALSO have to hover over a link.
Re: (Score:2)
Yeah, let me see how coherent you are before you had your first coffee... but you're right, of course.
Joe six pack should buy a Mac (Score:2)
problem solved
Re: (Score:2)
By that standard, all malware is zero click.
Re: (Score:2)
So, compared to the Word-Macro trojans, where it's enough to just open a file, you now have to hover the mouse over a link after opening it for infections to happen?
Re: (Score:2)
Re: (Score:2)
Oh, don't forget to allow powershell scripts to run.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
The week that happened was hell for us. We shutdown Exchange then for weeks afterwards we had infections still sporadically happening as people opened Outlook on machines they didn't use often. We lost about a 1/4 of our customers because email was down and our phone lines slammed.
"Infects without clicking"? (Score:5, Insightful)
The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script.
Sooo...the file opens itself without clicking, too? Or how exactly does that work?
Re:"Infects without clicking"? (Score:5, Informative)
Sooo...the file opens itself without clicking, too? Or how exactly does that work?
Slashdot is run by morons who specialize in click-bait headlines. That's how it works.
Re: (Score:3)
Re: "Infects without clicking"? (Score:2)
Nobody clicks to RTFA, not even the editors, so I suppose the answer is, "probably."
Re: (Score:2)
or...... not, because no browser does that. Not even IE.
Re: (Score:2)
For your convenience, that file will be mailed to you.
Easy fix.... (Score:1)
.... don't use Microsoft crap... ever. Really. And if you have to at work, so be it, but don't use it on your home devices.
Re: (Score:2)
That would be nice... but the VPN software I use to access work from home is only free to me for Windows :\
They actually have mac and Linux clients, but I have to pay $300+ for them (I know some Linux and mac diehards that did). Screw that, I can run Windows in a VM for far cheaper.
Re: (Score:2)
Your job is in the accounting department. It's your job to open invoices and pay them. What would be suspicious about an invoice coming to accounting?
Re: Easy fix.... (Score:2)
That it is a PowerPoint file and requests that you trust it.
I am not omnipresent, but I've never seen an invoice in PPT. That alone would probably make me think twice, and exercise some caution. Well, no... I probably wouldn't much care, but that's because I don't use Windows. If I did, I'd probably be pretty cautious and may just delete the email without opening the attachment and would then email the sender asking them to submit their invoice in something more sane than a PowerPoint document.
Re: (Score:3)
In the real world, people do all kind of "inappropriate" things such as send invoices as ppt, xls, doc and docx, spreadsheets as pdf, ppt, etc.
In the real world, people are busy just trying to get their work done and dealing with clowns doing the wrong thing is just a speed bump.
Re: Easy fix.... (Score:3)
As stated, I'd probably just delete it and send an email to the sender, asking them to submit their invoice again and asking that they do so in a sane format. If nothing else, in this case, it'd probably confirm that the person claimed to be the sender has no idea what the missive is actually about.
However, I'd not be even a little surprised to find out that someone has, for whatever reason, composed their invoice in PPT. And yes, yes I am near certain that I'd delete it and request a saner format. I am tem
Re: User Friendly Features (Score:3)
Linux is, by default, more secure than the Windows OS used to be. Microsoft has come a long ways, with regards to security. Linux uses permissions, meaning that things like applications don't get installed without some effort on the part of the user. A user account is also limited in accessing files that it doesn't have ownership of. Things like system files can not, easily, be modified by the user - unless the user makes a specific effort to do so. Windows didn't even have permissions, for quite some time.
Powerpoint (Score:1)
Who would have guessed? PowerPoint files don't open without clicking.
Re: (Score:3)
This just in... (Score:5, Insightful)
Opening suspicious files is still dangerous.
Who woulda thought?
As others have pointed out, this "no click" malware requires you to download and open a malicious powerpoint file, and then hover over the link contained in the file before it can infect you.
If anything, this seems far LESS of a risk than many other attack vectors that also require opening malicious file attachments in email. (usually opening the installer itself instead of a powerpoint file)
That said, WTF powerpoint? who makes a mouseover capable of downloading and installing something? c'mon guys, how stupid do you have to be to allow this sort of behaviour in your file format?
Re: (Score:2)
Microsoft is the company which is stupid enough to allow a mouseover to download and install software.
You don't have to ask how stupid Microsoft is.
And protected view (Score:2)
Clickbait article does mention that "newer" office versions may offer yet another barrier to infection. However, it conveniently omits to mention that the feature which prevents the script from running even if you view the file in Powerpoint is called Protected View, and has been available and enabled by default since Office 2010 [office.com] !!!
When downloading files through a browser or receiving it through an email client, the file is "tainted" with a zone identifier that indicates that the file has been received fr
Re: (Score:3)
...how stupid do you have to be to allow this sort of behaviour in your file format?
Who's stupider: the company that continuously and intentionally programs severe defects into its products, or the people who continuously and intentionally lock themselves into those products despite knowing this?
Re: (Score:2)
I'm not defending the users either, but I don't see it changing as long as software companies are not held responsible for their actions.
Re: (Score:2)
Re: (Score:2)
Everybody on /. knows that. Each single person on /. is aware of that. However not everybody is on /.
And yet the article is on Slashdot, so it seems unlikely that it being here will have much effect on those who are not.
Also, had you actually read my comment, you'd notice that I'm not blaming the victims, I'm blaming Microsoft for making such an idiotic decision, while at the same time stating that this particular issue is no worse (and probably much less dangerous) than the normal attack vector of simply sending the victim an installer file in the first place. After all, if they're going to click on a sus
Re: (Score:2)
Allowing an event to be captured, and allowing it to download and install software are two very different things.
Friends don't let friends... (Score:3)
Friends don't let friends install Microsoft Office.
Seriously - once you've got someone to open anything in MS Office, the scripting allowed in those formats means that few vulnerabilities are a very large surprise. That, and if you've ever had to work for a client that demands a large degree of Office interop or automation, you become acutely aware of how messy those formats have become over the years.
Don't get me wrong, in 'friendly' settings, it's got a nice set of features, and there's a reason that many folks allow their careers to be tied into it - but it's not a tool you want anything internet-related to connect to in any way, if you can help it. You're potentially handing over the keys to your computer when you open any of those formats from a potentially unfriendly source.
At least lock it behind a virtual system if you're going to open anything from the random internet.
Ryan Fenton
Re: (Score:2)
Friends don't let friends install Microsoft Office....
Back in the beginnings of Windows, I was always of the opinion that Microsoft was more interested in features and less interested in security. iow, new features = worth the investment, new security = not worth the investment. I would have thought that Microsoft would at least know better by now. But it still appears they do not.
Re: (Score:2)
Friends don't let friends install Microsoft Office.
No one installs office. They buy computers with it pre-installed or get given them through work.
Small wonder (Score:2)
I don't have a mouse I have a track-pad on one machine and one with a clitoris stick.
It's a good day (Score:1)
It's a good day to own a Mac!
Re: (Score:2)
Does it work with PowerPoint for Mac, available from the App Store?
Re: (Score:3)
Windoze duh (Score:3, Insightful)
Smells like Windoze crap to me. Linux and BSD are the fixes for this.
Re: (Score:3, Insightful)
I wish people would stop posting that. There is nothing technical about Linux to prevent exactly the same thing from happening. The reason it isn't happen as much on Linux are because Linux users are usually more technically proficient, haven't demanded "auto-run" features all over the place, and don't fall for fishing attacks nearly as often.
If Linux saw the infusion of technical illiteracy that Windows has had, all these things would be happening to Linux too, because the market would demand endless sim
Re: (Score:1)
"... nothing technical about Linux to prevent exactly the same thing from happening."
Except that Linux has a robust security framework which will prevent it from installing random stuff in an email attachment whereas Windows is just crap.
Re: Windoze duh (Score:2)
You'd never get past the permission which would prevent this stupidity.
Re: (Score:2)
BSD is malware. I installed it once and all my games stopped working. Like completely stopped! I couldn't even double click the exe. No crash, nothing. They just wouldn't even launch.
Never again!
Wrong (Score:3)
No clicks? Sure... (Score:3)
If you're using an Office product older than Office 2010.
Since then you need to click "Enable" or "Enable All (not recommended)" to on the security prompt to allow the script to run.
So yes, no clicks if you're using Office 2007 or earlier.
It's the current year (Score:2)
So, better than usual... (Score:2)
Most MS Office exploits I remember would run as soon as you opened the file. It's nice to see that Microsoft have managed to get their security to the point where it is at least necessary to interact with the file once opened to trigger the exploit...
What about Powershell Execution Policy? (Score:2)
"Infects PCs Without A Mouse Click" (Score:1)
A call to better report malware (Score:1)
Re: (Score:3)
Seriously, you have to open the file AND hover over the link?
No
You have to open the file, hover over the link AND click the appropriate button on the Protected View security prompt.
I guess you could avoid the click by tabbing off the "Disable" button then using space or enter. Of if you have a touch screen you could tap one of the enable buttons.
Wrong Power prefix (Score:2)