Hello, welcome to the Monday, December 11th, 2017 edition of the Sansonet Stormsiter's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

I always say that one of the most difficult, if not impossible, tasks in security is to figure out if a document is not malicious or a system is not compromised.

DDA took on just this challenge with an RTF document that a reader submitted.

The document didn't trigger any Anhabaris engines.

Now that by itself of of course, is far from

sufficient to call this particular document non-malicious. It had a lot of the hallmarks of

malicious RTF documents. First of all, it arrived as an attachment in an email. The email

came from a source that's unknown to the particular

reader. So the DA took a closer look at the document using some of his own tools and well he

actually came to the conclusion that the document is not malicious. All the document contained as far as the DE could find out was metadata

describing the RTF document, which is very typical, and apparently it didn't contain any content.

So lucky for us, not all exploits are created correctly, and in this case, probably someone tried to exploit vulnerability,

but just didn't know how to run their tool correctly.

And remember back in May, someone found a keylogger that was part of the Connectsend audio

driver package.

This particular keylogger and driver package was

originally found on HP Notebooks. Later other vendors I believe also found the same

driver with keystroke logging enabled. Now it looks like we have Decha-Wu

here. HP's keyboard driver apparently can be enabled to lock keystrokes.

Now, this is quite a bit of different than the Connexent case.

First of all, it does affect the keyboard driver itself.

...