CallMe malware persists
Published April 25th, 2013 at 1:59 PM EDT , modified April 25th, 2013 at 1:59 PM EDT
F-Secure has blogged today about a slightly new variant of CallMe that has been seen in the wild. Everything about the malware seems to be the same, except for file names and the command server that the malware “calls home” to. This is certainly small news, but it does show that this malware is still in active distribution, at least.
Remember that the CallMe malware is distributed through a malicious Microsoft Word document, and installs itself by exploiting the CVE-2009-0563 vulnerability, which was fixed by Microsoft in June of 2009. This is noteworthy for a couple reasons. First, the subject matter found in the Microsoft Word document being used is, once again, aimed at the Uyghur people. It is very unlikely that anyone other than an Uyghur, or someone with close ties to the Uyghur people, would be interested in that document.
Secondly, the fact that the malware continues to be spread through such an old vulnerability is very interesting. This not only suggests that the hackers have some knowledge about the targets of this malware (ie, knowledge that they are using extremely outdated versions of Microsoft Office), but also that the malware has been successful in infecting people within that target group. (Alternately, perhaps the hackers are morons who are banging their heads against a wall, while the Uyghurs point and laugh. One can hope!)
Because of these facts, it’s very unlikely that anyone outside the target population will even see this malware. Those who might be at risk should be sure to install any updates available for their version of Microsoft Office. Doing so is completely free (besides whatever you might have to pay for the internet service needed to download the update) and will ensure that you cannot be infected with CallMe.