Hello, welcome to the Wednesday, December 20th, 2017 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Washington, D.C.

Microsoft PowerPoint documents do offer a number of ways to trigger code execution.

Now, typically, we are used to that we have to click on a link in order to cause damage.

And one common trick to figure out where a link leads you is typically just to hover the mouse over it.

Sadly, PowerPoint does have a feature that allows you to trigger code execution

based on the mouse over event. So in this particular case and Xavier just ran into a sample

of this particular trick, you do execute code just by hovering the mouse over the link.

I'm pretty sure I mentioned this technique before.

It's certainly not new, but it hasn't really been seen much in actual malware so far.

About a year ago, I reported about adware that came pre-installed in some low-cost Android phones.

It was really more than adware. It was really more spyware. Collected an awful lot of

information about the user and also sort of implemented a back door. It became known as ad-ups back then.

And the difficulty here was that it came pre-installed on the phone,

which made it kind of impossible to uninstall it.

Well, ad-ups is back.

They now changed their name a little bit.

They call it now Fw upgrade a provider which i

guess is supposed to sound like a firewall but well it's just the opposite it again does

exfiltrate user data and has the ability to install additional code on the phone apparently some of the standard techniques to disable it are also failing on this new

version.

If you do have an affected device, there isn't really much help at this point.

...