BACKGROUND:
A new malspam variant that bypasses Office macro security to download Zloader was disclosed by McAfee on their blog Thursday. The variant disables Office defenses and delivers the Zloader banking trojan using a Word doc that downloads an XLS file. This downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro. An expert with Gurucul offers perspective.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>As pervasive as anti-malware software is, malware developers continue to come up with innovative approaches to infecting systems and devices. In the latest case, Microsoft reports that a phishing email with a Word attachment has the potential to take over systems. Opening the document causes it to download an Excel file from a remote server, whose contents are loaded into Visual Basic for Applications as macros. The Word doc disables the Excel macro warning and executes the macros, which downloads and executes the Zloader malware payload.</p>
<p>It’s a unique way of infecting a computer through several intermediate steps, and not actually downloading malware until the very last steps. Monitoring data on system downloads and executions will enable enterprises to identify a potential problem before Zloader can be executed. As attacks get more and more sophisticated, enterprises need an early warning system before malware can cause a crisis.</p>