Video Screencast Help
Security Response

Justsystem's Ichitaro zero-day used to propogate Trojan

Created: 16 Aug 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:57:53 GMT
John Canavan's picture
0 0 Votes
Login to vote

In recent months, we have seen a number of zero-day Microsoft Officeexploits used to drop Trojan horses on affected systems. The release ofthe exploits had been timed so that when Microsoft released theirpatches, a zero-day exploit surfaced the next day. The timing of thesereleases was noted by Symantec Security Response and it was speculatedthat the people behind these exploits had discovered multiplevulnerabilities in Microsoft Office and were holding back on releasingthem, in order to maximize the time-to-patch for each of their finds.

Today,we have seen another targeted attack on a document editing suite;however, this time around it is Justsystem's Ichitaro. Ichitaro is aword processing program widely used in Japan.

The malicious document uses a unicode stack overflow to execute itscode on the system, dropping and executing a Trojan horse namedBackdoor.Papi. When run, Backdoor.Papi copies itself to the %system%directory, creates a service named CAPAPI, and drops an ancillary DLLfile that contains its main functionality. A copy of its DLL is theninjected into each running process to gather system information andrelay it back to the Trojan's authors at pop.lovenickel.com. The backdoor also hooks a number of Windows APIs in an attempt to hide thepresence of its files and registry keys from the user. Similar toTrojans dropped by variants of the Trojan.Mdropper family, this domainis registered in China.

We have only seen this threat utilized in a very limited, targetedattack at the moment; however, if the speculations about the timedreleases of these exploits are indeed correct, we need to be on alertand remain vigilant for when more appear.

For more information please see:
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-081615-5607-99
http://www.symantec.com/enterprise/security_response/writeup.js