A low-risk exploit embedded into a PowerPoint attachment is raising eyebrows at CA, whose executives this week predicted it could be a sign of future attacks.This week CA released an advisory warning about Win32/Okupok.B, a trojan that is known to be delivered via a specially crafted PowerPoint document. The company is also tracking a similar trojan, Win32/NithSys, which was previously thought to be unrelated but is actually a variant of Okupok. Both of these malware take advantage of Microsoft Office Remote Code Execution using a malformed routing slip vulnerability.
"It is not yet linked to other ways of delivering these things, so it is not yet built into a worm or on a massive skill," said Sam Curry, CA vice president of security management, about the trojan. "But these are embedded into PowerPoint and they are taking advantage of vulnerabilities in the system."
In the future, more aggressive attacks exploiting this vulnerability could potentially be more damaging. Now, the offending PowerPoint file must be intentionally passed on by the recipient for it to propagate. But if the malware was equipped with a mass-mailer component or an simple mail transfer protocol (SMTP) engine, there could be more of a threat, Curry said.
"The reasons that this could be an indicator of things to come is if it were combined with other techniques as well and it were more aggressively pushed, then it could potentially be something that is used to improve the success of one of these attacks," Curry said. "I wouldn't be surprised if this started popping up as a standard way of doing things."
Curry said this current method of exploiting the routing slip vulnerability may be the bad guys' way of testing their code.
"It's following the typical pattern of new targets for vulnerability exploits - in this case PowerPoint. In the wild, we have it graded as a low. The pervasiveness is virtually nil," he said. "But as I've seen with these before, things that come in low on the radar like this they are almost a test to see how effective they are. It is like testing new ammunition, it hasn't been combined with the gun yet."