Malicious PowerPoint File Targeting Flash Player Vulnerability

Trend MicroResearchers at Trend Micro have discovered a malicious PowerPoint file circulating via email, which if executed, installs a backdoor on the victim’s system. The backdoor is made possible thanks to a vulnerability in Flash Player. The good news, however, is that the vulnerability itself has long since been patched, and malicious attachments are easy to avoid.

“Recent threats are no longer limited to malicious files disguised as ordinary binaries (such as .EXE file) attached to emails. These specially crafted files can be embedded in commonly used files such as PDF, DOC, PPT or XLS files,” Trend researcher, Cris Pantanilla, wrote in a recent blog.

The malicious PowerPoint arrives via email, and if it is opened, it will display a legitimate looking document. However, while the false presentation is shown, code within the file itself attempts to exploit an Adobe Flash Player vulnerability from 2011.

If successful, the victim’s system is exposed to additional malware, as the vulnerability allows for remote code execution.

“…cybercriminals are continuously taking advantage of previously reported vulnerabilities in popular software such as MS Office applications, Flash etc….exploits created for reliable vulnerabilities remain effective cybercriminal tools…[as] most users do not regularly update their systems’ with the latest security patch, which explains why attackers are continuously exploiting these bugs,” Pantanilla added.

In the end, he concluded, system patching and caution when dealing with file attachments from unknown sources will prevent this basic level of attack.

Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.EVL and the backdoor file as BKDR_SIMBOT.EVL. More information is available here.

By Steve Ragan


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s