The “Sandworm” malware – what you need to know

Thanks to Gabor Szappanos of SophosLabs for his work on this article.

You may have heard or seen mention of the latest catchily-named malware attack: “Sandworm.”

The name is rather dramatically borrowed from the famous 1960s science fiction epic Dune, where it refers to a sort of worm-like creature, hundreds or even thousands of metres long and as good as indestructible except with nuclear weapons.

In the current context, the name applies to a strain of malware, announced with fanfare by a security company that claims to have seen it used recently in the wild in targeted attacks.

These attacks are said to have been “used in [a] Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.”

The attack relies on a vulnerability in Windows known as CVE-2014-4114, patched in Bulletin MS14-060 of Microsoft’s October 2014 Patch Tuesday.

That makes the attack used by Sandworm a so-called zero-day exploit, because the vulnerability was first exploited before a patch was available.

→ The terminology “zero day” refers to the fact that there were zero days that you could have been patched in advance.

Combine a zero-day exploit and claims of Russian espionage with a catchy name and an all-devouring logo and you have a magnetic-sounding story.

Fortunately, the Sandworm malware is a lot easier to deal with than its interplanetary annelid namesake.

In fact, in malware terms, it’s not a worm at all.

Here’s what you need to know.

How Sandworm arrives

The malware travels in a Powerpoint file that refers to an .INF file, where INF is the Windows extension given to a special sort of information file used during software setup.

INF files were once a fruitful vehicle for malware authors, thanks to a special file named AUTORUN.INF that could be used on removable drives such as USB memory sticks to specify a program that would run automatically when the drive was plugged in.

AUTORUN.INF files are no longer allowed to run programs automatically, however, so that risk has as good as vanished.

But INF files can still be used for installation-oriented tasks such as putting files into place (and optionally renaming them), and setting entries in the registry.

That’s enough to install malware that will run later on, even if it’s not sufficient to infect your computer right away.

How Sandworm works

In the Sandworm attack, the malicious Powerpoint file that kicks things off actually refers to an INF file with a remote filename, using a UNC path.

→ UNC paths are those special Windows filenames that include a server name, not just a drive letter and a directory name, such as \\SERVER\SHARE\FILE.TXT for servers on your own network, or \\\REMOTE.DAT for a file located by IP number.

Windows is supposed to block applications like Powerpoint from sucking in and launching external files in this way, for obvious security reasons, but the Sandworm attackers found, or at least acquired, a vulnerability that made it possible anyway.

In the attack, the malicious Powerpoint file pulls in two files from a remote server that combine to deliver the malware payload.

The files have the innocent-looking names slides.inf and slide1.gif, as though they were part of the presentation itself.

But slide1.gif is actually an executable (program) file, and slides.inf is an installer file that renames slide1.gif to slide1.gif.exe before adding a registry entry that will run the offending program when you next logon.

In other words, even without the ability to run a program directly, the Powerpoint-INF-and-GIF cocktail is enough to install a program that will run later on.

Even though the malware itself is not embedded inside the malicious Powerpoint file, it is fetched in what is often called a drive-by install – one that happens without any pop-up dialog or warning that would let you stop it by choice.

What to do?

Unlike the sandworms of the desert planet Arrakis in the Dune saga, you don’t need high explosives, or disk-wiping tools, to counteract this threat.

Applying Microsoft’s MS14-060 patch will close the hole on which this vulnerability relies.

Additionally, security products can:

  • Identify booby trapped files that exploit the vulnerability, thus preventing them from opening in the first place.
  • Block the “call home” traffic used in known attacks in order to prevent payload code or data from being retrieved, even on unpatched computers.

Sophos products detect and block “Sandwormed” Powerpoint files as Troj/20144114-A. The slide1.gif malware file referred to above is blocked as Mal/Generic-S. The servers used in the “call home” of the attack are also blocked to prevent the download of any other malware that might be published there.