Microsoft Word Malware Targets Businesses

Determined hackers will use any method that they can to access valuable information. The Microsoft Word Intruder (MWI) service, a malware creation tool that has been around for several years, allows malicious users to take advantage of a known memory corruption in MS Word rich text format (RTF) files and deliver malware via "decoy documents."

A "Booby Trap" for Malware Distribution

Known as malware kits or exploit kits, tools like MWI circulate in underground communities of hackers and provide an easy way for anyone from novices to experts to build and deploy malicious software. All exploit kits target some kind of vulnerability in a program, and MWI is used to deliver one of two kinds of malware:

  • An EXE file called a "dropper" that installs data on a local disk
  • "Downloaders" that use a URL to download and install infectious files

MWI has been marketed in the hacker community as "the most reliable and universal .doc exploit pack" available. The tool is thought to have originated in Russia and sells for anywhere from $2,000 to $3,500.

Latest Microsoft Word Intruder Attack Targets Businesses

The use of MWI to launch malicious attacks isn't new, but the latest breach to appear in the headlines is especially worrying for businesses. Through a sophisticated phishing campaign based on the job search site CareerBuilder, hackers used MWI to create decoy documents in the form of resumes which were then sent to prospective employers.

This attack takes advantage of the automatic emailing system used by CareerBuilder. When a job applicant submits a resume in response to a listing, that resume is immediately emailed to the company that posted the job. Since employers are expecting these types of files, they're likely to open them without question. To make matters worse, resumes are often forwarded to other departments within a company. This gives hackers an easy way to infiltrate entire business networks using a single file.

The motivation for the CareerBuilder attack is suspected to be financial. By gaining access to businesses, hackers may be able to steal money or get their hands on valuable company information that can be sold on the black market.

Unwitting Malware Installation

Thanks to a sophisticated structure that makes malware downloads and installation almost undetectable by common security programs, hackers were able to deploy the CareerBuilder attack without companies noticing at first. The process was simple but stealthy:

  • Upon opening a decoy resume, a compressed file containing an image was unpacked.
  • The payload for the new malware hidden in the image launched a program dubbed "Sheldor."
  • Sheldor established a connection with infected computers.
  • Hackers were then able to access information on these computers.

Once machines within a business network are infected, it takes a great deal of time to hunt down and remove malicious programming. This can cause business operations to grind to a halt, leading to loss of profits and damaging relationships with customers. Companies that fall victim to these attacks also tend to make headlines, and this negative publicity can have an impact on public relations and brand image far into the future.

Although the MWI tool has been around for several years, recent attacks like the one on CareerBuilder show that hackers aren't about to stop using it any time soon. Businesses need to protect sensitive data stored on their networks by employing security software and services that keep files safe from malware. Files should be scanned by a reliable antivirus program and malware detection tool before being downloaded, even from trusted websites. These security measures help preserve personal information privacy and allow businesses to continue operating without interruption.