Has the “Sandworm” zero-day exploit burrowed back to the surface?

You’ve probably heard of Sandworm.

That’s the somewhat sneakily misnamed vulnerability (it’s not actually a worm) that made headlines mid-way through October 2014.

Technically, Sandworm was a zero-day, because it was apparently seen in a real-world targeted attack before it was fixed by Microsoft.

Officially, it was dubbed CVE-2014-4114, and patched in Bulletin MS14-060 of Microsoft’s October 2014 Patch Tuesday.

How Sandworm worked

The attack relied on .PPTX (PowerPoint) files that contained embedded OLE content.

OLE, short for Object Linking and Embedding, is a long-serving Microsoft technology for packaging files such as text, images and even programs into a container file, a bit like a special-purpose ZIP file or tarball.

In the attack, the .PPTX file was used to deliver an OLE container that linked to what seemed to be a .GIF image and an .INF file.

INF is the Windows extension given to a special sort of information file used during software setup.

The .GIF file was, in fact, an .EXE (program) file renamed to make it look like a harmless image, something you you might expect to find referenced in a presentation.

The exploit tricked PowerPoint into delivering these files onto your hard disk without warning.

As undesirable as this might sound, there should have been no immediate danger: the .GIF ought simply to have sat there as a harmlessly inert BLOB of data.

But the attackers found that they could “execute” the .INF file, too. (INFs act as scripts, though without the general power of batch files or PowerShell programs.)

They couldn’t launch the malware directly, but they could get it to run indirectly.

Using the .INF file, they renamed the .GIF as a regular program, and set a special entry called RunOnce in the registry that would fire up the malware next time you logged on.

A bit of a roundabout route, to be sure, but perfectly effective for an attacker with a modicum of patience.

Sandworm returns

If you followed the original Sandworm story, you probably noticed that Microsoft published Security Advisory 3010060 on 21 October 2014 for a vulnerability called CVE-2014-6352.

This advisory is entitled “Vulnerability in Microsoft OLE Could Allow Remote Code Execution,” just like the Sandworm bulletin issued on Patch Tuesday.

This raises the question, “Isn’t this the same thing that was already patched?”

The answer, if you will pardon what sounds like prevarication, is, “Yes and no.”

It seems that the MS14-060 patch doesn’t close all possible ways of devising a “Sandworm” attack, so Microsoft’s new advisory provides additional protection against Powerpoint-INF-and-GIF cocktail attacks.

You can apply the extra protection by means of what Microsoft calls a Fix it, a temporary patch that can be added (and removed, just in case you have problems with it) simply by clicking a button on the relevant web page.

Unfortunately, the Fix it doesn’t work if you have the 64-bit version of PowerPoint on Windows 8 or Windows 8.1, but all other combinations are protected.

→ Strictly speaking, 64-bit Powerpoint on 64-bit Server 2012 versions can’t be protected this way either. But that’s a moot point, because you don’t have Office installed on your servers, do you?

As far as we can tell, Sophos products will block many, if not most, Sandworm-based attacks proactively, detecting them as Troj/20144114-A.

That detection identity was released around the time of the October 2014 Patch Tuesday.

We have also published additional protection as Troj/20146352-A to deal with possible modifications of the original attack that might sneak past both MS14-060 and Troj/20144114-A.

What to do?

In point form, here is what you need to know:

  • The “Sandworm” hole is mostly patched by Microsoft, but the new Fix it will provide additional safety for many users.
  • Anti-malware products should be able to block PowerPoint files that are crafted to exploit this vulnerability.
  • Email and web filtering products can help you protect your users from PowerPoint files from unexpected or untrusted sources.
  • Don’t blindly trust PowerPoint files from people you don’t know, even if they sound important because they claim to be undelivered courier items or wrongly-billed invoices.
  • Consider using Application Control to minimise the software that can be installed and used on your servers, in order to limit your attack surface area.

Click to get the tools...