ShowerPoint Trojan
-
Instead, the delivery technique made use of the Windows PowerShell tool, which was invoked when targets hovered over a booby-trapped hyperlink embedded in the attached PowerPoint document.
-
Wow. It's ILOVEYOU all over again. (Or... was ILOVEYOU the one that could spread just by previewing attachments? Hard to keep all those early macro virii straight.)
-
Annoyingly short on detail. Is there some sort of
onhover
attribute in Powerpoint that can trigger Powershell?
-
@Jaloopa A quick search gave me this, step 2 (it's the bottom-most row of the "Shapes" button in the ribbon).
Although it gave me a security warning when I ran the presentation, so there was an obvious sign that something was afoot, but either they've found a way to disable that, or they just rely on the users simply clicking away an obnoxious dialog, as many users do ("bla bla macros bla bla dangerous stuff bla bla techno babble Do you want to continue?").
-
Here's a thought, maybe we shouldn't allow invoking PowerShell on hover
-
@remi said in ShowerPoint Trojan:
it gave me a security warning when I ran the presentation
I get an obnoxious warning whenever I open a Word document in my dropbox folder. It rather trains the user to ignore those.
-
@Yamikuronue I know...
I remember when we upgraded to Office 2007, it added a small progress bar/popup when loading a big document (typically when it's on a network disk and thus slow to access). I was so used to clicking away any warning when opening a document (usually it's "this document is read-only", or "enable macros?" for some of our company template) that I happened more than once to click this dialog by reflex. Since the only button on that dialog is a "cancel" button, this didn't quite had the effect I expected...
-
@boomzilla The screenshot in the onebox shows a warning dialog that needs to be clicked to proceed. Am I crazy?
... I'll go ahead and read the article now.
EDIT:
As demonstrated by the image above—which was included in a blog post from Dodge This Security—the PowerPoint file shows only a hyperlink with the words "Loading...Please wait." Hovering over the link with the mouse will then trigger the warning on newer versions of Office. One can imagine impatient users who haven't been fully trained clicking the "Enable" button in hopes of getting the document to load.
No I'm not crazy, they are. I mean it's technically true that it doesn't require a hyperlink to be clicked, but it does require a scary dialog permissions screen to be clicked, so...
-
If your employee opens a file like that in the first place, they've already failed their security test I guess.
-
@JazzyJosh said in ShowerPoint Trojan:
Here's a thought, maybe we shouldn't allow invoking PowerShell on hover
It shouldn't be invoking anything on hover. It shouldn't be able to launch an external executable at all. But that is just another example of the retarded fuckery that has become so deeply ingrained in almost all software.
-
@El_Heffe said in ShowerPoint Trojan:
@JazzyJosh said in ShowerPoint Trojan:
Here's a thought, maybe we shouldn't allow invoking PowerShell on hover
It shouldn't be invoking anything on hover. It shouldn't be able to launch an external executable at all. But that is just another example of the retarded fuckery that has become so deeply ingrained in almost all software.
Makes me think of the jigsaw puzzle I like to play. It has embedded ads. (cause I'm cheap and haven't paid anything). One of those ads somehow automatically opens a web page everytime if shows - ??? I finally just stuck that domain in my hosts file with a 127 address
-
@El_Heffe said in ShowerPoint Trojan:
@JazzyJosh said in ShowerPoint Trojan:
Here's a thought, maybe we shouldn't allow invoking PowerShell on hover
It shouldn't be invoking anything on hover. It shouldn't be able to launch an external executable at all. But that is just another example of the retarded fuckery that has become so deeply ingrained in almost all software.
That's what I was thinking: Why the fuck is there even a "Run program" item at all in this action dialog?
-
@Medinoc Because if there wasn't such an option, people would run a VB macro that runs a program, I guess.
-
-
@masonwheeler said in ShowerPoint Trojan:
Wow. It's ILOVEYOU all over again. (Or... was ILOVEYOU the one that could spread just by previewing attachments? Hard to keep all those early macro virii straight.)
Sigh.
Viruses
(If it was in that group of Latin words and had a plural form, the plural would be VIRI, or if VIRII was the plural, the singular would be VIRIUS. RADII is the plural of RADIUS, not RADUS. Well, except that in Latin, vīrus is a mass noun, and therefore doesn't even have a plural form.)
-
@Steve_The_Cynic Here, have a ...