Sudoku and malware with your coffee?

Sudoku and malware with your coffee?sudoku-250

A little Sudoku for youAs the end of the year approaches and things calm down around the office, what better way to while away a few minutes than with a harmless Sudoku?

Perhaps not so harmless if it’s the Microsoft Excel based Sudoku generator spreadsheet that arrived in SophosLabs recently.

This spreadsheet hides a nasty secret: it contains malware.

However, rather than rely on a vulnerability to install the malware, it uses sleight-of-hand instead.

Microsoft Office includes the powerful programing language Visual Basic for Applications, accessible from Office documents as macros.

Back in the 1990s, macros were the weapon of choice for cybercriminals. Microsoft responded by disabling macros by default, all but killing off the macro malware threat.

But macros are still in common use, and the trick used here is quite simple: if you want to generate a puzzle to solve, you have to enable macros.

It sounds perfectly reasonable, doesn’t it? Generating Sudoku puzzles requires a program; to run the program requires macros.

The attackers even provide simple instructions to help you turn macros back on:

Once those pesky security measures are bypassed you can solve as many Sudoku as you like.

Of course, in the background a rather less amusing macro is installing and running some malware.

The installed malware gathers system information using some standard commands: ipconfig to get network information, tasklist for a list of all the programs and services you are running, and systeminfo to find out about your hardware, operating system and patches.

A bowdlerised 'sysinfo' output

The snooped data, which probably reveals more than you’d like about your computer, is then encoded and mailed out to an address.

If you still have some coffee left to drink after reading this, here’s an example of a Sudoku puzzle generated by the spreadsheet used in this attack.

Malware-free of course.

Try this Sudoku for size...

Thanks to Peter Szabo from SophosLabs in Vancouver for uncovering this curious “blast from the past”.

Sophos Anti-Virus on all platforms blocks this malware as follows:

WM97/ExeDrop-G: The malicious Sudoku-making spreadsheet
Troj/DwnLdr-KLI: The Windows malware dropped by the above