Yesterday, our engineers in Japan noticed the arrival of some unusual submissions from a small number of our customers. All of these submissions contained suspicious Microsoft Office Excel 2007 spreadsheets. Further analysis showed that these files were exploiting a vulnerability in Excel that allowed them to drop and execute a binary onto the file system.
We see this kind of behavior all the time, but as the analysis of the vulnerability progressed it became clear that this vulnerability is one that we had not seen before. It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format. Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system—the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This helps to decrease suspicion when the affected spreadsheet is opened.
The people behind this attack use some additional techniques to help evade detection. For example, they use weak encryption on the binary embedded in the spreadsheet. After decrypting the payload you will notice that the MZ header has been obfuscated to evade casual analysis. One of the tricks used switches characters—MZ becomes ZM and PE becomes EP. The following screenshot shows what happens to the ubiquitous “This program cannot be executed in DOS mode.”
This is all very basic but can help evade certain types of detection. Our tests have shown that this exploit has been created for and works in Excel 2007, but previous versions of Excel fail to gracefully handle the exception caused by exploitation attempts. As a result of this, it is possible that this issue is exploitable in older versions of Excel.
We have added detection for the malicious spreadsheet files we have seen in the wild, which will be detected as Trojan.Mdropper.AC. The malicious binary dropped by the spreadsheet will be detected as a Trojan horse. Ensure that your definitions are up-to-date to protect yourself from the danger this issue presents.
The motivation behind this is not yet clear. We are currently monitoring this threat and will post more information when it becomes available. We have been working closely with Microsoft since we discovered this issue. Microsoft have confirmed that this is a new vulnerability and more information can be found in their Security Advisory located at http://go.microsoft.com/fwlink/?LinkID=143568.