When is a password not a password? When Excel sees "VelvetSweatshop" [VIDEO]

Filed Under: Featured, Malware, Security threats, SophosLabs, Video, Vulnerability

Boobytrapped Excel fileOver the last few months, I've spent a significant proportion of my time researching the CVE-2012-0158 vulnerability.

I'm glad to say that that research has paid off, and I will be presenting a technical paper at the Virus Bulletin conference in Berlin, later this year.

The paper, "Between an RTF and OLE2 place: an analysis of CVE-2012-0158 samples", will be a summary of my research so far into the threat.

One of the issues in detecting CVE-2012-0158 samples is that the delivery mechanism can be RTF, Word or Excel files.

Word and Excel files can be password-encrypted, meaning that it can be harder for an anti-virus scanning engine to see the malicious code.

The problem the attackers have, of course, is that they not only have to trick users into clicking on the attachment with social engineering, but also need to dupe their potential victims into entering a password.

With Excel, however, there is another method and that is to save the boobytrapped file as "Read Only".

"Read Only" applies the same encryption method and uses a default password chosen by the Microsoft programmers: "VelvetSweatshop".

Here is a short video showing how malware can use this default Excel password in its attempt to infect unsuspecting computer users.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

If you would like to know more about the CVE-2012-0158 vulnerability then I urge you to attend the Virus Bulletin conference later this year. While you are there you can also listen to and meet other experts from Sophos:

My SophosLabs colleagues Numaan Huq and Peter Szabo also have a reserve paper at the conference: "Trapping unknown malware in a context web".

A strong showing for the SophosLabs experts at this year's Virus Bulletin conference, I'm sure you will agree. We look forward to meeting many of you in Berlin.


, , , , , ,

You might like

7 Responses to When is a password not a password? When Excel sees "VelvetSweatshop" [VIDEO]

  1. It_Guy · 370 days ago

    That was really cool AND informative. Thank you for the article!

  2. njorl · 369 days ago

    A negative consequence of digital rights management.

  3. Steve · 368 days ago

    Excellent work, thanks for sharing!

  4. omri · 367 days ago

    is that "eDoc" app available for download, or is it only for internal use by Sophos researchers?

  5. yuhong · 365 days ago

    This bug is actually in an ActiveX control (originally shipped with VB6 BTW), and I wonder if attacks via say IE are possible.

    • Paul Baccas · 365 days ago

      We haven't seen this vulnerability exploited via IE but theoretically it is possible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.