Video Screencast Help
Security Response

Justsystem's Ichitaro zero-day used to propogate Trojan

Created: 16 Aug 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:57:51 GMT
John Canavan's picture
0 0 Votes
Login to vote

In recent months, we have seen a number of zero-day Microsoft Office exploits used to drop Trojan horses on affected systems. The release of the exploits had been timed so that when Microsoft released their patches, a zero-day exploit surfaced the next day. The timing of these releases was noted by Symantec Security Response and it was speculated that the people behind these exploits had discovered multiple vulnerabilities in Microsoft Office and were holding back on releasing them, in order to maximize the time-to-patch for each of their finds.

Today, we have seen another targeted attack on a document editing suite; however, this time around it is Justsystem's Ichitaro. Ichitaro is a word processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute its code on the system, dropping and executing a Trojan horse named Backdoor.Papi. When run, Backdoor.Papi copies itself to the %system% directory, creates a service named CAPAPI, and drops an ancillary DLL file that contains its main functionality. A copy of its DLL is then injected into each running process to gather system information and relay it back to the Trojan's authors at pop.lovenickel.com. The back door also hooks a number of Windows APIs in an attempt to hide the presence of its files and registry keys from the user. Similar to Trojans dropped by variants of the Trojan.Mdropper family, this domain is registered in China.

We have only seen this threat utilized in a very limited, targeted attack at the moment; however, if the speculations about the timed releases of these exploits are indeed correct, we need to be on alert and remain vigilant for when more appear.

For more information please see:
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-081615-5607-99
http://www.symantec.com/enterprise/security_response/writeup.