Ransomware gets a lot of attention these days, and understandably so.

It’s the digital equivalent of a punch in the face: there’s no doubt what’s happened, and the crooks leave no stone unturned to make sure you know it.

Some ransomware not only creates some sort of HOW-TO-PAY document in every directory where there are scrambled files, but also changes your desktop wallpaper so that the payment instructions are visible all the time.

You can argue, however, that less visible malware attacks are even worse, especially if you only find out about them days or weeks after they started, and they include some sort of data-stealing payload.

Like the range of malware that SophosLabs researcher Gabor Szappanos (Szapi) was reviewing recently while working on a paper about Word-based attacks.

Szapi was looking at a particular subset of Word-borne hacks: what are known as exploit kits.

Exploit kits are pre-packaged, booby-trapped files that automatically try to take over applications such as Word or Flash as soon as you open up one of the malicious files.

The idea is to bypass any pop-up warnings that would usually appear (such as “you need to enable macros,” or “are you sure you want to install this software”) by crafting the exploit file so it causes a controllable crash in the application that just loaded it.

Szapi noticed that all of the exploit kits he’d covered in his paper (going by names like Microsoft Word Intruder, AK-1, AK-2, DL-1 and DL-2) had been used at some time to distribute data-stealing malware known as KeyBase.

His first thought was along the lines that “KeyBase ought to be dead by now, because it’s been around for a while, it’s well-known, and the author himself took it offline long ago.”

read more…