This is very scary stuff.
SAN FRANCISCO — Computer intruders targeting pro-Tibetan groups, U.S. defense contractors and government agencies slipped in through previously unknown security holes in Microsoft Office, prompting Microsoft to issue a flurry of patches to the popular software suite in 2006 and 2007, according to computer security experts.
These attacks, which appeared to have originated in China, began in early 2006 when the attackers started sending e-mails to victims with booby-trapped Word documents and Excel spreadsheets attached.
“We are seeing more and more spying done with Trojans, a shift that has happened in the last two years,” Mikko Hyppönen, the chief research officer for software security vendor F-Secure, told RSA conference attendees Thursday morning.
The Pentagon and pro-Tibet groups have previously acknowledged the intrusions, but Hyppönen is the first to link the cyber espionage to a series of patches that Microsoft pushed out without explanation. Microsoft did not immediately reply to a request for comment.
Hyppönen’s colleague Patrik Runald notes that from 2005 through early 2006, Microsoft issued few patches for its Office suite. But soon after there was an explosion of patches for critical bugs that could be used to infect a computer, including a record 26 patches in October, 2006, that fixed four critical bugs in Microsoft Office applications.
Those fixes, Runald says, appeared contemporaneously with the rise of targeted attacks on defense companies, nonprofits and government agencies. “They now have an incentive to begin looking for bugs and exploiting them,” Runald said. “Bad guys are finding these things fast.”
The attackers relied on e-mails tempting the victim to open the attachments, in some cases by presenting them as résumés from job seekers.
But when the target opened the attachment, the application would usually crash, while the embedded code covertly installed a keylogger and data-stealing software that scooped up documents anywhere on the organization’s network to which the user had access.
Full Story on wired.