Mayan Apocalypse Fears Exploited by Macro Virus

Talk that the Mayan calendar put the end of the world on Dec. 21, 2012, has produced everything from websites touting conspiracy theories to a feature film called ‘2012’.  Now, it has also brought the public emails laced with malware in an attack that has more to do with revisiting the past than ending the present.

Researchers at Sophos recently detected a malicious PowerPoint presentation entitled ‘Will the world end in 2012?’. The file contained Visual Basic macro code that dropped an executable file. The PowerPoint was not the first macro virus the company had seen in recent days; it also had analyzed one in an Excel spreadsheet presented as a Sudoku puzzle generator.

“Microsoft Office includes the powerful programing language Visual Basic for Applications, accessible from Office documents as macros,” blogged Richard Wang, of SophosLabs.  “Back in the 1990s, macros were the weapon of choice for cybercriminals. Microsoft responded by disabling macros by default, all but killing off the macro malware threat.”

“But macros are still in common use, and the trick used here is quite simple: if you want to generate a puzzle to solve, you have to enable macros,” he added.

The macro in the case of the malicious PowerPoint was functionally identical to the one found in the Sudoku puzzle, noted Chester Wisniewski, a Senior Security Advisor at Sophos Canada. It also required the user to enable macros, but unlike the Sudoku attack did not offer any tips on how to do it.

“What are these macros up to? They are designed to construct a valid Windows PE file (Portable Executable) from arrays of single bytes,” Wisniewski blogged. “While this isn’t particularly new, it would throw off the average user from understanding what these macros are designed to do even if they bothered to take a look.”

“The EXE file that is extracted is what we call a dropper,” he explained. “It extracts another Windows PE file which downloads a picture of an owl, then contacts a command and control server. It is designed to download another payload it will rename as Wmupdate.exe, but during our testing no instructions were sent from the command-and-control server to retrieve this payload.”

According to Wisniewski, the original uninfected version of the PowerPoint file was created by a preacher in the U.S. who appears to have nothing to do with the booby-trapped version.

“His legitimate WordPress blog has been compromised and is currently performing search engine manipulation duties for Viagra pushers, “off-shore” casinos, forex fraud and payday loans,” the researcher warned.

In the case of the Sudoku attack, the malware collects system information such as a list of the programs and services the user is running and information about the user’s hardware, operating system and patches. The data is then sent out to an aol.com address.

“While macro viruses certainly aren’t a new phenomenon, they aren’t something many people think about,” Wisniewski blogged. “Be careful with documents you acquire from random sources and never enable macros in documents you download or receive as email attachments.”