Ancalog – the document exploit tool that makes cybercrime easy

SophosLabs principal researcher Gábor Szappanos, better known as Szappi, has featured in Naked Security articles many times before.

His contributions are always highly recommended because he has the knack of digging into the whole story, with the result that his papers are accessible and useful to anyone with an interest in malware and cybercrime.

If you’re a techie, you’ll find in Szappi’s papers the technical detail you’re after; if you’re a sysadmin or a security officer, you’ll get useful insights into how cybercriminals evolve and adapt in real life.

Even if you aren’t an IT expert yourself, you’ll enjoy the word pictures of the cyberunderworld that Szappi paints.

Better yet, you’ll end up better able to protect yourself, thanks to the way Szappi explains the topics he’s discussing.

So, we hope you enjoy his latest paper, quizzically entitled Ancalog – the vintage exploit builder.

Ancalog, or the Ancalog Multi Exploit Builder, to give its full name, is an example of what you might call an artisan niche in cybercrime.

Ancalog is cheap by cybercrime standards: if you know where to look, you can buy the entry-level kit for $49, or pay $290 for the full version. (Or, in a fit of dishonour among thieves, you can get hacked versions for much less.)

Once you’ve bought it, you can take your malware samples, whatever they might be, and package them automatically into booby-trapped documents ready for spamming out.

If you’re familiar with ransomware, you’ll know that most ransomware attacks these days rely on files such as JavaScript programs disguised as documents, or real documents that contain so-called macros, embedded programs that won’t run by default.

In other words, many ransomware attacks can be thwarted simply by avoiding anything that seems out of order.

JavaScript files should never arrive by email, so you should never need to open one in the usual course of business; if someone sends you any JavaScript file disguised as a document, you can assume they are out to get you.

Likewise, documents that have embedded macros need to persaude you to enable the macro feature in Microsoft Office, which means deliberately dropping your security for a document about which you know only one thing for sure: that you don’t have any reason to trust it.

That’s why Ancalog uses what are called exploits instead: deliberately mis-constructed files that automatically trigger bugs in Office, or perhaps underlying bugs in Windows itself.

Why use exploits?

Exploits of this sort are active booby-traps, rigged up so that just opening the document – and it really is a document file, not a misnamed executable or JavaScript program – is enough for the crooks to take over and implant malware of their choice.

Szapi explains:

  • Where Ancalog comes from.
  • How it works, and how Ancalog doubles its chances of success.
  • The niche it’s built for itself amongst Russian and Nigerian cybergangs.
  • What Ancalog’s “customer crooks” are doing with it.
  • How to deal with it.

Read the paper now for a fascinating insight into how malware tools like Ancalog are helping crooks who aren’t technically savvy to leap headlong into cybercrime…