Sudoku and malware with your coffee?

Filed Under: Featured, Malware, SophosLabs

A little Sudoku for youAs the end of the year approaches and things calm down around the office, what better way to while away a few minutes than with a harmless Sudoku?

Perhaps not so harmless if it's the Microsoft Excel based Sudoku generator spreadsheet that arrived in SophosLabs recently.

This spreadsheet hides a nasty secret: it contains malware.

However, rather than rely on a vulnerability to install the malware, it uses sleight-of-hand instead.

Microsoft Office includes the powerful programing language Visual Basic for Applications, accessible from Office documents as macros.

Back in the 1990s, macros were the weapon of choice for cybercriminals. Microsoft responded by disabling macros by default, all but killing off the macro malware threat.

But macros are still in common use, and the trick used here is quite simple: if you want to generate a puzzle to solve, you have to enable macros.

It sounds perfectly reasonable, doesn't it? Generating Sudoku puzzles requires a program; to run the program requires macros.

The attackers even provide simple instructions to help you turn macros back on:

Once those pesky security measures are bypassed you can solve as many Sudoku as you like.

Of course, in the background a rather less amusing macro is installing and running some malware.

The installed malware gathers system information using some standard commands: ipconfig to get network information, tasklist for a list of all the programs and services you are running, and systeminfo to find out about your hardware, operating system and patches.

A bowdlerised 'sysinfo' output

The snooped data, which probably reveals more than you'd like about your computer, is then encoded and mailed out to an aol.com address.

If you still have some coffee left to drink after reading this, here's an example of a Sudoku puzzle generated by the spreadsheet used in this attack.

Malware-free of course.

Try this Sudoku for size...

Thanks to Peter Szabo from SophosLabs in Vancouver for uncovering this curious "blast from the past".

Sophos Anti-Virus on all platforms blocks this malware as follows:

WM97/ExeDrop-G: The malicious Sudoku-making spreadsheet
Troj/DwnLdr-KLI: The Windows malware dropped by the above


, , , , ,

You might like

5 Responses to Sudoku and malware with your coffee?

  1. How odd, malware that actually does what it claims to. The generated sudoku is perfectly valid. Still, it's hardly worth the infection when there are perfectly clean sudokus available all over the web.

  2. Seth.D · 619 days ago

    I'd genuinely like a not-malware version of this spreadsheet. I'm a pretty big sudoku fan. :D

    • Cecilia L · 610 days ago

      Me too Seth. If you're a FaceBooker, they have a pretty cool one where you can play against other people... SudokuCombat. Check it out.

  3. Anonym0u5 · 619 days ago

    Is this a targeted attack?

  4. Mark · 612 days ago

    Soon it will be even worse as the new Office allows applications to be embedded in the spreadsheets and word docs that are sent to you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Richard manages SophosLabs' operations in the United States. His principal security interests are endpoint security and user education. When he's not worrying about digital perils he enjoys singing, much to the distress of his cat, whose name does not feature in any of his passwords.