Analysis of a MICROSOFT WORD INTRUDER sample: execution, check-in and payload delivery by Yonathan Klijnsma.
From the post:
On April 1st FireEye released a report on “MWI” and “MWISTAT” which is a sort of exploit kit for Word Documents if you will: A New Word Document Exploit Kit
In the article FireEye goes over MWI which is the short for “Microsoft Word Intruder’ coded by an actor going by the handle ’Objekt’. MWI is a ‘kit’ for people to use for spreading malware. It can generate malicious word document exploiting any of the following CVE’s:
- CVE-2010-3333
- CVE-2012-0158
- CVE-2013-3906
- CVE-2014-1761
The builder, named MWI, generates these documents which call back to a server to download malicious payloads. Together with the MWI builder the author has also released MWISTAT; a statistics backend and optional downloader component for MWI documents to track campaigns and spread of the documents.
…
This post prompted me to look for malware kits for the Internet of Things (IoT).
I didn’t find any with a quick search but did find several IoT malware stories that may be of interest:
The Internet Of Things Has Been Hacked, And It’s Turning Nasty by Selena Larson.
From the post:
Don’t say we didn’t warn you. Bad guys have already hijacked up to 100,000 devices in the Internet of Things and used them to launch malware attacks, Internet security firm Proofpoint said on Thursday.
It’s apparently the first recorded large-scale Internet of Things hack. Proofpoint found that the compromised gadgets—which included everything from routers and smart televisions to at least one smart refrigerator—sent more than 750,000 malicious emails to targets between December 26, 2013 and January 6, 2014.
…
The Botnet of the Internet of Things by Waylon Grange.
From the post:
Last month we released our report on the Inception Framework and as part of that report outlined how a nation-state level attack compromised over 100 embedded devices on the Internet to use them as a private proxy to mask their identity. Since the release of the paper we have further discovered that the attackers not only targeted MIPS-el devices but also had binaries for ARM, SuperH, and PowerPC embedded processors. In light of this the 100 devices that we knew about is most likely only the tip of the iceberg and the total count was much, much more.
This network of proxies was managed by a central backend that tunneled attacks through an ever-cycling list of compromised devices, thus changing the IP address their attacks came from every few minutes. The whole system for tracking which compromised devices were available and managing the change in proxies at regular intervals had to be a fairly complex system, but the benefit to the attackers was clear. No one entity would have full insight into their attacks, only portions of it and it is hard for investigators to put together a puzzle with only a handful of the pieces.
…
This year your refrigerator may be a spam-bot and next year your toaster?
Don’t know how I will feel getting a spam email with return address: Joe’s Toaster.
Unfortunately, people who are concerned about IoT security, aren’t the ones building devices to become part of the IoT. Strict liability for losses, spamming, etc. due to IoT devices would go a long way towards generating concern among IoT device manufacturers.
I didn’t find any malware kits for the IoT but I will keep looking. Until the IoT becomes more secure, I’m not sharing network access with my refrigerator or toaster.