back to article 'Fully undetectable' Windows backdoor gets detected

SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming. More significantly, the malware may backdoor your Windows system by masquerading as part of the update process. Tomer Bar, director of security research at SafeBreach, explains in …

  1. Steve Graham

    In 1992: "You know what would be great? If we could embed executable code in a Word document."

    1. J. Cook Silver badge
      Go

      And the wheel of reincarnation strikes again...

      And mainly because using the OLE Automation hooks are hard and require additional time and effort to build to.

      And as we can all see, no one at Adobe looked at Microsoft's problem with it and said "hey, let's embed a scripting engine into our PDF viewer which will let miscreats do the same exact thing!!!"

    2. DS999 Silver badge

      To be fair

      Windows didn't support networking back then, so the only attack vector was sneakernet.

      The real crime wasn't adding that functionality 30 years ago, it was maintaining their support for it once it became known what a big problem it was. They could have and should have deprecated it long ago.

      1. unimaginative Bronze badge
        Unhappy

        Re: To be fair

        Not natively, AFAIK, but there had long been third party networking (such as Netware) and even third party TCP/IP stacks had been around for a few years.

        Once that happened "You know what would be great? If we could embed executable code in a web page." has no excuse.

        1. Blazde
          Windows

          Re: To be fair

          Almost the first time I used Windows was to print a WordBasic laden Word doc over the Netware network to a shared printer.

          Typically you'd also want to surreptitiously delete a few big print-jobs belonging to others ahead of you in the queue, so it is fair to say security wasn't THE top priority back then.

        2. John Brown (no body) Silver badge

          Re: To be fair

          There's nothing inherently wrong with embedding executable code in web pages or documents. Allowing them access out of the running application and into the OS and the general file system is the problem.

      2. jake Silver badge

        Re: To be fair

        "Windows didn't support networking back then"

        DOS had internal networking ability starting with PC-DOS 3.1, released in March of '85. The DOS shell called "Windows 1.0" was released to manufacturing in November of '95. DOS networking worked just fine while Windows was running from the year dot (not that anybody cared in the early days).

        "They could have and should have deprecated it (executables embedded in documents) long ago."

        I'd say it should never have been done in the first place. The obvious security headache is obvious.

        1. jake Silver badge

          Re: To be fair

          Win1 was released in '85, not '95. Typoe. Oops.

          Time to get a new prescription for my reading glasses ... hazard of getting old.

          1. Anonymous Coward
            Anonymous Coward

            Re: To be fair

            At least your hindsight is still 20/20!

    3. Jou (Mxyzptlk) Silver badge

      Actually, as those scripts are written, the actual powershell code could be hidden in any file. .PNG, .JPEG, .ODF and so on. And since many file formats are actually renamed zip files (hello ODF DOCX JAR etc etc) you can include whatever in such a zip file.

      The word document is just the easiest way since you cannot fix dumb. Including dumb implementation from M$, making the "activate script" button huge, but the save "don't" button small. But what to expect from the UI designers of Windows 8.0 and Windows 11...

      1. jake Silver badge

        "But what to expect from the UI designers of Windows 8.0 and Windows 11..."

        That wasn't Designers, that was Marketers.

      2. John Brown (no body) Silver badge

        "The word document is just the easiest way since you cannot fix dumb. Including dumb implementation from M$, making the "activate script" button huge, but the save "don't" button small. But what to expect from the UI designers of Windows 8.0 and Windows 11..."

        Yep, and the easiest way to get a "mark" to activate the script is to make the script do something "useful", eg to make the relevant text actually display. A bit like those websites that show a blank screen if you have scripting blocked and may show some plain text stating "please enable scripting to view this site"

    4. amanfromMars 1 Silver badge

      Totally Deluded'R'Us are in AI a Busted Flush*

      In 1992: "You know what would be great? If we could embed executable code in a Word document." ..... Steve Graham

      Eric Arthur Blair, aka George Orwell of 1984 and Animal Farm fame, had that well sussed in 1948, Steve, and provides to even this day the premium primary ace tablet/platform/methodology to mimic and champion if an illuminating Order out of CHAOS and/or Thirty-third Degree Ordo ab Chao Aficionado or Acolyte, Disciple or Fanatic, Follower or Leader which easily identifies all of those terrifying and terrorising third parties and their financing leaderships in direct opposition to and active competition against changes which don't leave current running present traditional and past supporting historical conventional Status Quo administrations in their advantageous positions rendering them believing themselves immune from the consequences of their actions claiming impunity.

      It is why Status Quo Systems' Media Controlling Machines do not permit and provide for free viewer and captive listener input/output suggesting an alternative view with novel solutions for ancient problems/future radical changes to entrenched ignorant difficult positions/troubling persistent activities.

      Heaven forbid that the world and his dog have a common leading voice to be heard and realised which doesn’t agree with that of just a catastrophically psychotic few appears to be their mantra and Casus Belli.

      And if that is not changed as quick as a flash, as it can be nowadays with that which is available to that and those so enabled by machines controlled by loving fingertips, there be Immaculately Resourced Assets and Universal Virtual Force type Troubles ahead for such Status Quo Systems’ Machine Commanders and Controllers, for more of the same is no longer acceptable when enough is enough is not heeded and turns toxic and destructive.

      If you find anything there ambiguous, please share your anxiety here so that any misunderstandings you might have can be addressed and qualitatively eased and shared further afield for greater enlightenment and education elsewhere too.

      * ... A potential flush which ultimately was not filled. Anything which ends up worthless despite great potential.

  2. EricM
    Happy

    Fully undetectable = FUD?

    nice

  3. Anonymous Coward
    Anonymous Coward

    Spotted in the wild!

    I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning. They have zero-trust and Ringfencing (I won't mention the name of it for fear of shill accusations) so although the Macro ran, it didn't make it outside of Excel.

    A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this folks!

  4. Anonymous Coward
    Anonymous Coward

    Programs add value by allowing users/business to customize. The issue is with the user/business and protection offered by the environment.

    Else: Let's kill all functionality for everyone.

    The whole point of IT is to enable productivity. Just need to secure the environment

    Idea: Stop letting users access the general internet, restrict to trusted business partners.

    Just use some control!!!!!!!

    I ride a motorcycle. If I don't wear the gear and maintain the bike, I can expect to get hurt.

    1. amanfromMars 1 Silver badge

      And what an absolutely ridiculous idea for IT too.

      Idea: Stop letting users access the general internet, restrict to trusted business partners.

      Just use some control!!!!!!! ...... Anonymous Coward

      The only business partners one can trust are those one can control absolutely ..... therefore there can be no trusted business partners to restrict, AC.

  5. bombastic bob Silver badge
    Devil

    would the inrusion work if you ran libre office instead?

    Just curious if using Libre Office generically protects you

    (I expect it would, like NOT using Outlook, etc.)

    1. Jou (Mxyzptlk) Silver badge

      Re: would the inrusion work if you ran libre office instead?

      > Just curious if using Libre Office generically protects you

      Only if you install the latest update. They just fixed a security hole which allowed an very Very VERY easy exploit. A simple <iframe src='macro:Shell("whatever")'></iframe> was enough. Including Linux and Mac.

  6. Dinanziame Silver badge

    Not windows use here

    But do people really just have to open the document and the macro runs, no questions asked?

    I mean, if I open a document that pretends to be a LinkedIn offer and it asks for permission to run a macro, there's not a chance I'll allow it.

    1. IGotOut Silver badge

      Re: Not windows use here

      Normally you have to get past the prompts aling the lines of "this is from an untusted source and could bw dangerous" and THEN you have to allow macros.

      But these are the same people that enter credit card details to aamazzonn.com and wonder what those strange transactions are.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like