When is a password not a password? When Excel sees “VelvetSweatshop” [VIDEO]

Boobytrapped Excel fileOver the last few months, I’ve spent a significant proportion of my time researching the CVE-2012-0158 vulnerability.

I’m glad to say that that research has paid off, and I will be presenting a technical paper at the Virus Bulletin conference in Berlin, later this year.

The paper, “Between an RTF and OLE2 place: an analysis of CVE-2012-0158 samples”, will be a summary of my research so far into the threat.

One of the issues in detecting CVE-2012-0158 samples is that the delivery mechanism can be RTF, Word or Excel files.

Word and Excel files can be password-encrypted, meaning that it can be harder for an anti-virus scanning engine to see the malicious code.

The problem the attackers have, of course, is that they not only have to trick users into clicking on the attachment with social engineering, but also need to dupe their potential victims into entering a password.

With Excel, however, there is another method and that is to save the boobytrapped file as “Read Only”.

“Read Only” applies the same encryption method and uses a default password chosen by the Microsoft programmers: “VelvetSweatshop”.

Here is a short video showing how malware can use this default Excel password in its attempt to infect unsuspecting computer users.

(Enjoy this video? Check out more on the SophosLabs YouTube channel.)

If you would like to know more about the CVE-2012-0158 vulnerability then I urge you to attend the Virus Bulletin conference later this year. While you are there you can also listen to and meet other experts from Sophos:

My SophosLabs colleagues Numaan Huq and Peter Szabo also have a reserve paper at the conference: “Trapping unknown malware in a context web”.

A strong showing for the SophosLabs experts at this year’s Virus Bulletin conference, I’m sure you will agree. We look forward to meeting many of you in Berlin.