Over the last few months, I’ve spent a significant proportion of my time researching the CVE-2012-0158 vulnerability.
I’m glad to say that that research has paid off, and I will be presenting a technical paper at the Virus Bulletin conference in Berlin, later this year.
The paper, “Between an RTF and OLE2 place: an analysis of CVE-2012-0158 samples”, will be a summary of my research so far into the threat.
One of the issues in detecting CVE-2012-0158 samples is that the delivery mechanism can be RTF, Word or Excel files.
Word and Excel files can be password-encrypted, meaning that it can be harder for an anti-virus scanning engine to see the malicious code.
The problem the attackers have, of course, is that they not only have to trick users into clicking on the attachment with social engineering, but also need to dupe their potential victims into entering a password.
With Excel, however, there is another method and that is to save the boobytrapped file as “Read Only”.
“Read Only” applies the same encryption method and uses a default password chosen by the Microsoft programmers: “VelvetSweatshop”.
Here is a short video showing how malware can use this default Excel password in its attempt to infect unsuspecting computer users.
(Enjoy this video? Check out more on the SophosLabs YouTube channel.)
If you would like to know more about the CVE-2012-0158 vulnerability then I urge you to attend the Virus Bulletin conference later this year. While you are there you can also listen to and meet other experts from Sophos:
- Rowland Yu –
GinMaster : a case study in Android malware
- Vanja Svajcer and Sean McDonald –
Classifying PUAs in the mobile environment
- and NakedSecurity’s own Graham Cluley and Bob Burls –
Operation Crossbill: How the police cracked an international malware gang
My SophosLabs colleagues Numaan Huq and Peter Szabo also have a reserve paper at the conference: “Trapping unknown malware in a context web”.
A strong showing for the SophosLabs experts at this year’s Virus Bulletin conference, I’m sure you will agree. We look forward to meeting many of you in Berlin.
7 comments on “When is a password not a password? When Excel sees “VelvetSweatshop” [VIDEO]”
That was really cool AND informative. Thank you for the article!
A negative consequence of digital rights management.
Excellent work, thanks for sharing!
is that "eDoc" app available for download, or is it only for internal use by Sophos researchers?
The version of eDoc used here was version 1.0 (copyright 2001-2002 eTree Inc) from www.etree.com.
This bug is actually in an ActiveX control (originally shipped with VB6 BTW), and I wonder if attacks via say IE are possible.
We haven’t seen this vulnerability exploited via IE but theoretically it is possible.