Our guys in Bratislava have issued a press release about one of the latest examples of the current wave of Excel exploits, which we detect as X97M/TrojanDropper.Agent.NAI. When the malicious Excel document is opened, it drops the backdoor Trojan we call Win32/Agent.NVV, which allows a remote attacker to get access to and some control over the compromised machine. Unlike some of the exploits we’ve seen recently, this one is remarkably flexible about the range of platforms and versions to which it delivers its payload: according to Microsoft’s advisory, the vulnerability affects Windows versions as far back as Microsoft Office 2000, and also affects Office 2004 and 2008 for Mac (that’s the vulnerability, not the exploit!). Our lab guys also tell us that the exploit also affects Excel viewers. So if you remember those reassurances from the 1990s that you were safe using viewers to read MSOffice documents because they didn’t execute macros, I’m afraid that it no longer applies, because we’re not looking at malicious macros here.
According to the same advisory, the vulnerability allows a specially crafted Excel document to access an invalid object so that the attacker can execute arbitrary code. Pierre-Marc is doing some analysis at the moment: it looks as if in this case, the shellcode drops an executable embedded in the spreadsheet, then then registers the executable as a service and starts it.
According to Patrick Fitzgerald of Symantec, the shellcode in samples analysed there actually drops two files: the second file is a valid Excel document which is opened to mask the fact that Excel crashes when the Trojan is executed: however, I can’t confirm at this point that we’re talking about exactly the same malicious code. I may be able to tell you more about that later.
Like the Adobe exploits we’ve been talking about recently, this is a targeted attack: while that may change, it’s not, for the moment, going to affect many people directly. Directly is an important word here, of course: a single person falling for one of these may have dangerous knock-on effects for many, inside and outside the targeted organization – consider, for instance, how many people could be impacted adversely by the misfortunes of a global banking organization, or a major government department.
There is no patch from Microsoft yet, though I’ll be surprised if there isn’t one sooner rather than later. Clearly, this isn’t a good time to be indiscriminately opening XLS files (the vulnerability doesn’t seem to exist in the newer .XLSX format), even from trusted sources. (One of the features of targeted attacks is that the attacker goes to some trouble to make it look as if the attack comes from a trusted source.) But then, there’s never a good time to be reckless about opening files… Microsoft’s other suggested workaround is to use their Microsoft Office Isolated Conversion Environment (MOICE), certainly when opening files from unknown or un-trusted sources. This should also afford some protection for users of Word and PowerPoint files in a number of attack scenarios, but MOICE can only be installed in Office 2003 or 2007.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET