School Stored a Marker You Don’t Want

 

NewSky Security observed a document infected with a legacy macro virus (Word/Marker) hosted on a Stanford University domain. The link was still up at the time of writing. The document consists of the curriculum vitae of a Professor who, at the time, was a PhD fellow at Stanford:

 

The Marker virus variant contains an additional macro which has the viral code to add record of already infected computers, and send stolen logs using FTP protocol to a command and control server. In the link below we can see the name of the victim, indicating that he was infected more than a decade ago:

 

These indicators of compromise are consistent with the old Marker virus, confirming that this is indeed a legacy malware.

Many blacklisting solutions maintain an internal whitelist that checks if the website is well reputed (such as government-related or major education websites). If the website belongs to this list, they will not trigger the malicious rulesets and the website will not be blocked. Hence, if malware succeeds to sneak into these reputed websites, it is unlikely that the link pointing to these websites would be blacklisted. NewSky Security observed a similar case a few days ago when a ransomware downloader managed to sneak into a US government website.

However, in this case the file is well known legacy malware. Hence most AV products were able to detect the virus and payload (over 77% detection). The URL blacklisting though was a bit less than 5%, probably because of the benign reputation of the Stanford website.

It is advisable for domain owners to regularly audit the files hosted on their domains to make sure they are not hosting malwares. We have informed Stanford University about the file hosted as well as released the indicators of compromise here.

Authors

Ankit Anubhav, Principal Researcher, NewSky Security

Malwr_kill (https://twitter.com/malwr_kill)