It's still January. There's still time to share the most popular posts on the Excel blog in 2011. Thanks for reading them!
The first one is--you guessed it--about keyword shortcuts. From the post, you can download Quick Reference Cards to pin to your corkboard.
...(read more)We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A. Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there's more to it than meets the eye.
The website in question is a Romanian website, asistentasociala [dot] info. The term "asistenta sociala" translates to "social welfare", and is apparently quite popular. Doing a web search for the term "asistenta sociala" on various search engines, we found that the website is ranked within the first two pages of the results.
The website contains various official documents and examples on how they are filled out. It seems to have been hacked, because the original documents have been replaced with malicious executable files (detected as Trojan:BAT/Delosc.A - sample SHA1 759e3dc00415809d0df748e23dcbec1c0265afc1), as seen in Figure 1 below:
Fig. 1 The .doc file is replaced by an .exe file. The word "cerere" translates to "request" or "application")
The malicious files have the same icon as the original documents, so that when they are saved to your computer, you might not notice anything out of the ordinary. In Figure 2 below, the downloaded malicious executables have the icons of an Excel file, a PDF file, and a Word file:
Fig. 2 The malicious executable using misleading icons.
When run, the malicious executable drops the original document, as in Figure 3. This is probably done to make it appear as if nothing unexpected has occurred:
Fig. 3 The malicious executable drops the original document.
It also drops a BAT file (also detected as Trojan:BAT/Delosc.A - SHA1 ECD0C54B085BDBBECF25FA44EEF69F9B5F776621) in the Temporary Files folder as "open_file.bat". This file does the rest of the malicious actions.
The BAT file tries to delete files and folders from two software solutions mainly used in Romanian institutions: Indaco (software that offers services for legal documentation) and Aplxpert (a document management system based on regulations designed for public administration).
It also proceeds to delete folders (along with the files inside) that contain the following strings: "aplxpert", "indaco" (as previously mentioned), "mondo", "agr", "factur" (invoice), "gami", "multi", "glob", "alocati", "arenda", "social", "assist", "vmg", "asf", "lemne" (wood), "incalz" (heating) on the C, D, E, F, G, H drives, as you can see from the malware code in Figure 4:
Fig. 4 The malware code showing the strings.
Based on these actions, it seems like if you're working for a Romanian government institution and your computer gets infected by this malware, you may no longer be able to use either of these tools. In addition, folders containing files pertinent to your work may be deleted if you named your folders using any of the mentioned strings.
Aside from government employees, it also looks like this malware could cause trouble for a user who is searching for documents related to social welfare. For example, if you're looking for help on how to fill out a form for heating assistance, you might end up inadvertently having files deleted from your computer if you saved them within a folder that uses any of these strings.
The website owner has been contacted and the malicious files have been removed.
Replacing the original documents with malicious executables is something we have seen before. But this trojan is deleting files that the user seems to be looking for help for, while at the same time posing as those very files. In the process, actual important official documents may be deleted, thus posing a very real threat to users.
We recommend that you always pay attention to the downloaded files and look out for files that have the icon for one file type but the extension for another. And as always, run an antivirus solution to protect your computer against these kinds of threats. For website owners, make sure you take steps to harden your website so that you can protect its integrity.
--
Andrei Saygo && Daniel Radu
MMPC Dublin
Perhaps you've heard about the advantages of Microsoft Office 365, and want to give it a try. Or maybe you've already completed a 30-day trial and are ready to subscribe on an ongoing basis. The question is: Which plan should I subscribe to? To make your choice easy, we've updated our Office 365 website to help you quickly select the right plan for your organization. Now, from a single page, you can compare all the subscription plans side-by-side, including the specific features and prices of each. You can see which plans come with a free, 30-day trial, and find the plan best suited for your organization's specific size and needs. To make our subscription plans easy to navigate, we've also grouped them into four categories: email, small business, midsize businesses and enterprises E1& E3: You can subscribe to a plan right from our website, or sign up a for a 30-day free trial. You can also watch demos of Office 365, and view answers to frequently asked questions. Please check it out, and tell us what you think. We welcome your questions and comments.
A restaurant can become a workplace using Windows Phone. With a built-in version of Office, communications software (Lync), and a way to access your files stored Microsoft's free cloud service (SkyDrive), you can see how to attend a meeting and even handle an emergency while eating your lunch.
...(read more)
As a boys' basketball coach, I always tell my sons that if you want to be a star, you've got to learn teamwork. If you hog the ball and constantly try to score yourself, both you and your team are going to get creamed. But if you know where your teammates are on the court, if you're constantly watching to see who's open and frequently pass the ball, you're going to find opportunities to score.
The same is true for business. From The Wisdom of Crowds to Teamwork makes the Dreamwork, numerous books have pointed to the incredible benefits organizations can reap by getting their staff to work effectively as a team. Often, however, the problem is structuring the work environment to make it possible for teams to thrive. Without an underlying infrastructure that makes it easy to share information and collaborate, teamwork can be as difficult as a lone basketball player squaring off against a team of Kobe Bryants.
One of the benefits of Microsoft Office 365 is that it provides the infrastructure for collaboration and information sharing. With Microsoft SharePoint Online, a component of Office 365, organizations can create sites that let them easily share information and collaborate with colleagues and customers. With Microsoft Lync Online, they can connect seamlessly with others through instant messaging, video conferences, and online meetings.
Collaborating effectively couldn't be more critical for SKARF, a medical research and treatment center in Denmark. The organization networks with researchers across the globe to discover, share, and advance knowledge around effective cardiovascular medicine and treatments. "In order for research to be accurate and thorough, it's important that a lot of stakeholders contribute to it," says Kristian Wachtell, a cardiologist at SKARF. "We need easy, fast ways to share knowledge and ideas across borders so we can improve productivity."
The organization had been exchanging drafts and comments with other researchers via email. However, it was cumbersome to manage and consolidate the information it received. Based on a recommendation from its IT support firm, ProActive, SKARF decided to try Office 365 for its collaboration features.
Rather than emailing documents back and forth for feedback, researchers now use the co-authoring feature in Microsoft Word 2010 hosted by SharePoint Online to make edits simultaneously. "SharePoint Online is exactly what we need to quickly and easily share data and files," Wachtell says. "We're definitely more productive. We're probably cutting down document creation time by 25 percent."
The organization also uses Lync Online to hold web conferences, reducing the need for researchers to travel to universities and other research centers to share information about the latest research. "Being able to share what's on our desktops and talk about it in real time expands our horizons," Wachtell says. "We can cut travel time in half and save the company $50,000 annually-that's a significant savings."
Being able to collaborate more productively has made it possible for the researchers to work together better in teams. They're also completing projects faster, which means they can take on more work. "This kind of collaboration is vital to us," Wachtell says. "Office 365 helps us perform better, work more productively, and increase our workload capacity." (Click here to check out the full SKARF case study.)
Has Office 365 improved teamwork in your organization? Feel free to leave a comment.
In our everyday world, we sometimes make use of thin clients, which don't have a lot of functionality but are easy to maintain, as their functionality is based on data they receive from remote servers. Malware authors have adopted a similar technique, in which malware is able to download executable code without actually downloading an executable image. We're talking about malware that isn't a typical trojan downloader.
The typical routine for trojan downloaders is that the downloaded file is normally modified on the server side, and the downloader itself offers only a download and execute function, which is cheap to produce and therefore expendable in terms of antivirus detection. As a result, we currently detect over eight million trojan downloaders for Windows, most of which download the executable to disc or inject it into other processes.
Unfortunately there is no need for malware writers to download an executable at all. We recently analyzed a sample, TrojanDownloader:Win32/Poison.A (SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182), that downloads a blob of position-independent code, and executes it in the context of a previous non-malicious application.
At first, the sample appeared to be a very small Visual Basic-written application that accesses the website of a Tibetan restaurant. I expected a trojan downloader using the normal routine, but during fast static analysis I couldn't see any file access operation, or any other suspicious system call. Instead, it simply displayed Figure 1 below:
Figure 1: Error message displayed when run on an isolated machine
Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as "misys.exe" (as shown in Figure 2 below), and started keylogging, although the static analysis did not indicate this kind of functionality.
Figure 2: The file "misys.exe" on a computer connected to the Internet
The question is: where does that file come from? The mystery was solved when I looked at the HTML code of the restaurant webpage, which begins with the following hex instructions:
&H55, &H8B, &HEC
These characters make up the standard x86 function prolog:
Figure 3: The assembly code for the hex instructions
So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The "downloader" becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the "downloader", thus the "downloader" inherits the malware functionality.
After the whole HTML page was converted into binary as in Figure 4, the file name in Figure 2 was clearly visible:
Figure 4: The file name is visible after conversion to binary
The downloaded binary blob is a variant of the Win32/Poison family. The functionality of the downloaded code is widely documented in its entry in the MMPC Encyclopedia.
The Win32/Poison trojan can be created with an easy-to-use Builder Tool, which allows malware authors to customize a build according to what they want to steal. We discuss the kit and its distribution in the MMPC Threat Report – Poison Ivy paper we released in November of this year. A possible reason why Win32/Poison is so prevalent, although it's quite an old trojan, is the fact that it allows malware authors to create with one click of the mouse, position-independent code that has the trojan functionality, instead of creating an executable, as shown in Figure 5:
Figure 5: Win32/Poison builder allowing shellcode or PE creation
So while the malware we discussed here, TrojanDownloader:Win32/Poison.A, is a different kind of trojan that takes a while to build, in minutes it was just another threat detected by Microsoft AV products.
-- MMPC
Today Guy Kawasaki shares his final blog post in a series about making your entrepreneurial dreams come true. His witty wrap up offers up what not to say and what not to believe that investors tell you. These tongue-in-cheek lists serve a purpose: they run down everything he taught you about creating a business pitch and plan, and developing a financial forecast. Reading all the posts should give you everything you need to launch that business! No more excuses! And don’t forget – Office Web Apps are great tools for sharing and collaborating – perfect for entrepreneurs and their business partners when they set out.
Now get crackin!
(You can read or download the whole series on Guy's SkyDrive.)
Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home -- specifically, Seattle Washington. They're seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form:
Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink and the time and date of the “offense” changes among iterations of the spam. It's interesting to note that the "Date of Offense" is in European format (DD/MM/YYYY), which is a strange deviation from the date format used in most of the U.S. (MM/DD/YYYY). So far, we’ve seen the hyperlink point to several recently registered domains.
If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP 93.190.44.171. This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006.
If the exploit is successful, it will download and execute a file named "info.exe" from the domain “doofyonmycolg.ru”. At the time of writing, we detect this file as Worm:Win32/Cridex.B (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051). Once the malware is running, it tries to connect to “jahramainso.com” (IP 95.57.120.104, registered January 11, 2012) using SSL. The malware is able to update itself through communicating with the server. At present, this host is serving the exact same file as the malware running on the affected computer (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051).
We started seeing reports of this file earlier today, although we were not previously aware of the distribution vehicle until the City of Seattle alerted us about the spam. It's also interesting to note that the doofyonmycolg.ru domain was registered only a few days ago, so this is a new spam campaign.
While this particular campaign is new, Win32/Cridex variants originated around September 2011. As is usually the case, the malware authors attempted to evade detection by updating the malware and altering the hosts that it communicates with. You can read more about Worm:Win32/Cridex.B in the MMPC malware encyclopedia.
The best way to remain protected against this type of attack is to:
• Keep your security software and Windows security updates current
• Teach yourself to recognize and avoid phishing emails and other messages
Also, note that neither the Seattle Police Department nor Department of Motor Vehicles (DMV) sends tickets by email -- only by “snail mail” (post). The Seattle Police Department published an alert on their site at the following link: http://spdblotter.seattle.gov/2012/01/19/beware-phishy-email-titled-seattle-traffic-ticket/
-- Tareq Saade, Microsoft Security Response Center
15 Spreadsheet Formatting Tips
For the last couple years I’ve been meaning to pull together some of the tips that I’ve learned working on the Excel team about how to make nice looking spreadsheets. Well, last week, Rob Collie (a previous Excel Program Manager, and now CTO at Pivotstream and author of PowerPivotPro.com) beat me to it with his post “In the Browser, Aesthetics Yield a Greater Return.”
...(read more)