On 4 August 2014 Brandan Blevins talks in his post ‘‘Poweliks’ malware variant employs new antivirus evasion techniques‘ about a new malware which uses new infection routes.
My first thought was: Oh no, not another new malware that could not be detected by state-of-the-art Anti Virus systems!
My second thought was: Hold on for a moment. The Poweliks malware appears to jump into our computers like a deus ex machina! Sounds like magic, doesn’t it?
If you dig somewhat deeper, you find, that to implant the malware, attackers must exploit a vulnerability of the system and, the good faith of the users. In this case the media was a Word attachment of an email and a flaw in the MSCOMCTL.OCX described in CVE-2012-0158.
In section ‘What might an attacker use the vulnerability to do?’ Microsoft describes the impact:
‘An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights…’.
And this is exactly what the Poweliks malware does.
What countermeasures could we take?
(a) Do not open attachment and files from untrusted sources like email. Common sense can prevent lots of malware attacks.
(b) Do not work with permanent administrative rights.
(c) Change the User Account Control (UAC) Settings to the highest level ‘Always notify’. The malware installs Powershell, if not already installed. In this case UAC will notify you.
(d) Check whether the latest updates and patches are installed. CVE-2012-0158 was fixed in 2012 and can not be used for an attack, if Windows Update is configured to automatically install updates.
(e) Review the Trust Center Settings in Microsoft Office.
Activate ‘ Disable all macros with notification’ in section ‘Macro Settings’,
Activate ‘Prompt me before enabling all controls with minimal restrictions’ in section ‘ActiveX Settings’.
Activate ‘File Block Settings’ except for Office 2007 or later formats in section ‘File Block Settings’.
(f) Check your AV providers Homepage for the latest updates or utilities. I bet you will find some Information or tool which could support you in an emergency.
(g) Don’t Panic!
Have a good Weekend