The BSides security conference has gone global since 2009, when it first began in Las Vegas as a place for talks that weren’t accepted by Black Hat or Defcon. The movement has now reached Budapest and, with help from two of our own, the first event was a success.
SE Labs has just released its Q4 2016 testing results, and we’re pleased to report that Sophos Endpoint Protection scored high. The results are a testament to Sophos Lab’s diligence in protecting customers against real-time malware threats that are constantly evolving.
This week Sophos’ Bill Brenner and Matt Cooke conducted a Facebook Live chat to discuss the results.
Document exploitation is a well-known method of distributing malware in the malware community. A common theory for why crooks use booby-trapped documents is that victims can be more easily convinced to open document attachments than executables.
Word, Excel and PDF documents that contain so-called exploits – active booby-traps – have the added trick of not requiring their victims to manually enable macros, as is often the case for VBA downloaders.
The latest technical paper from SophosLabs explores why we’re seeing more document exploitation malware in the wild, and investigates the long-standing popularity of a document exploitation generator called Ancalog, which is widely commercially available.
SophosLabs has just released a research paper on a new way that cybercriminals are distributing malware that makes money by “borrowing” your computer to mine cryptocurrency.
The report by Attila Marosi, Senior Threat Researcher at Sophos, investigates the Mal/Miner-C malware, which criminals are using to mine the cryptocurrency Monero.
In this paper, Marosi examines how Mal/Miner-C quietly infects victims’ computers and communicates with host servers to run mining operations covertly in the background.
This latest technical paper from our team in SophosLabs examines the newest techniques being used by cybercriminals to conduct Microsoft Office document exploits.
For four years, the preferred vulnerability for a document exploit attack was CVE-2012-0158, but as this vulnerability has aged out – due to users and administrators updating and patching their systems to remediate it – criminals have had to target new vulnerabilities to keep up their attacks.
SophosLabs has found that criminals using several popular exploit kits, including Microsoft Word Intruder, are now predominantly targeting CVE-2015-1641 and CVE-2015-2545.
Arguably one of the most exploited Microsoft Office vulnerabilities of the last decade, CVE-2012-0158’s longevity is one of constant adaptation. Ever since its disclosure in 2012, this vulnerability has been the attack vector of choice for exploitation by attackers who seek to hijack Microsoft Word or Excel and force these programs to execute malicious code.
In fact, according to SophosLabs research, as late as Q4 2015, CVE-2012-0158 was still used by 48% of exploits specifically targeting Office documents.
In this new research paper, Graham Chantry of SophosLabs provides a deep dive into several exploits found in the wild and how they work using CVE-2012-0158.
Thanks to Graham Chantry of SophosLabs,
whose research and analysis form the core of this article.
But Microsoft VBA, or Visual Basic for Applications, should be up there too, because of its broad-brush popularity.
VBA is a modern-day dialect of BASIC, the original easy-to-learn-and-use programming language for beginners and experts alike.
It is built into many Microsoft applications, notably the components of Microsoft Office.
You can use it for all sorts of automation tasks right inside your own documents and spreadsheets, so it’s the sort of programming language that is as likely to be used by accountants and auditors as by software engineers and sysdamins.
Of course, once you add VBA code to a Word document, that file is no longer just so much harmless data, because it has a BASIC program buried inside.