MS Word: The Bug, the Exploit, the Attack
MS Word is under scrutiny again this month.We have some new and interesting details about the vulnerabilityreported by Microsoft on December 5 (referenced by CVE-2006-5994). Thestory shows how the road from a simple bug to a working exploit isshort and sometimes unpredictable.
This morning we analyzed some new samples that had been detected as Bloodhound.Exploit.106, which is a new heuristic detection released yesterday for the Microsoft Word zero-day vulnerability (described in Microsoft Security Advisory 929433). Among the submissions received from our customers we found a Word file that turned out to be a little gem.
We found a malicious Word document that was written in Portuguese and added detection for it as Trojan.Mdropper.T.The document contains an exploit that drops an executable file, whichthen installs a downloader threat and opens a clean Word document in anAsian language with some strange predictions about the future. Thedownloader then downloads a keylogger/infostealer. Detections for allof this malicious code are included in today's certified definitions.
This behaviour is quite ordinary for attacks involving the use ofunknown vulnerabilities. However, digging a little deeper, wediscovered a copy of the same Portuguese document publicly posted aspart of the QA test results of a free word processing application (thatis compatible with Microsoft Word). The original .doc file, which wasclearly flagged as malformed and capable of crashing Word, was postedin early November.
The Portuguese document and the malicious one that we detected asTrojan.Mdropper.T are almost identical (figure 1), but the second onewas reworked to achieve code execution. The original document ispublicly available on a number of Web sites, so we suspect themalicious code writers may have stumbled upon it and used it as a"template", transforming an innocent bug into a working exploit. Infact, the final malicious Word file contains an encrypted shellcode(probably generated using the Metasploit suite) and a maliciousexecutable file.
The writers then proceeded to spam it to users in Asia. If theunsuspected user opens the document, they won't see the actualPortuguese text, but instead those wacky predictions. However, in thebackground all the keys they press are being logged and sent to theattacker.