Malware researchers are poring over a newly discovered zero-day PowerPoint Trojan uncovered by Trend Micro this weekend. The big question: Does it target a new, unknown vulnerability in Microsoft's software, or is it a variant of another virus that attacks known vulnerabilities?
Researchers at Trend Micro and Sophos are running the so-called Troj_Mdropper.BH Trojan through a battery of tests to determine how the malware attacks a Windows machine. So far, it looks like the Trojan targets neither a new vulnerability nor the ones Microsoft previously patched, MS06-012 and MS06-048, which allowed remote code to execute in PowerPoint.
Microsoft's initial investigation indicates the trojan is not a new zero-day vulnerability, a Microsoft spokesperson said this evening. "Microsoft is actively working in conjunction with MSRA partners to verify those findings and will provide additional information and customer guidance once the investigation is complete," the spokesperson said.
Trend Micro's researchers are still testing various permutations of the exploit, so there's no official word yet, says David Perry, global director of education for Trend Micro and one of the company's top virus experts.
"MS06-012 was the big one for PowerPoint, and we are looking at that right now. So far, [the new Trojan] doesn't work" with that vulnerability, says Perry, who admits the initial findings on the Trojan are a bit confusing. "But we have to test it out more."
Sophos says it appears the Trojan could be a new or modified PowerPoint exploit. "It could well be something" new, says Ron O'Brien, a security consultant for Sophos. O'Brien says Sophos' exploit team is busy analyzing PowerPoint while the company's lab examines the Trojan. "It's the vulnerability we're most concerned about," he says. "If this one gets broadcast prior to Microsoft's September patches, it increases the likelihood that people will take advantage of it."
The good news is that, so far, there have been only a handful of infected machines, according to Perry.
Troj_Mdropper.BH works like this: The specially crafted PowerPoint file is either downloaded by a user from the Internet or dropped onto a victim's system by other malware. When executed, it inserts and executes another Trojan called Troj_Small.CMZ into the Windows temporary folder, according to Trend Micro. It targets Windows 98, Windows ME, Windows NT, Windows XP, and Server 2003.
It was too early to determine all of the potential dangers of the Trojan, but Perry says one possibility is to build a botnet. "Generally speaking, with these backdoor Trojans that drop another Trojan, the end of the road is a botnet to take control of your computer," he says.
The new Trojan is just another example of how malware is purposely being written to remain under IT's radar, rather than as the big-splash, replicating malware of the past. "People circulating viruses today are not trying to make it obvious. They don't go into mass circulation, and they may be just a version for one day," he says. It's more about criminals looking for monetary gain, he adds.
Meanwhile, Trend Micro and Sophos weren't the only researchers conflicted over this latest Trojan. T. Brian Granier, a researcher with the SANS Institute, said in his blog over the weekend that the new vulnerabilities hit by the new Trojan sounded a lot like those addressed by Microsoft in the MS06-048 patches. Granier questioned whether this was either a new vulnerability, or if Microsoft failed to find the root cause with MS06-048. He wonders whether Microsoft's patch actually addresses the vulnerability the new Trojan targets.
We'll bring you more on this story as it unfolds.
Kelly Jackson Higgins, Senior Editor, Dark Reading