In these days of “zero-day”, I’ve analyzed many malicious filesexploiting some of the recent MS Office vulnerabilities for Word, Exceland PowerPoint. The "Trojan.Mdropper" and “Trojan.PPDropper” familieshave grown very quickly in the last year, and I was trying to come upwith some numbers by looking at the samples received here in the viruslab.
During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X.For most of these attacks the number of samples received for a singlefamily is very low (usually less than five samples), and allows vendorsto speak of “limited targeted attacks”. However for Trojan.Mdropper.Xthe situation was slightly different. The set of Mdropper.X samplesexploiting the same CVE-2006-6456 vulnerability has up to 30 different.doc files at the moment and started to increase quickly in the lastfew months.
There was no evident reason behind these statistics and it seemedobvious to me that one vulnerability could be easier to exploit (ormore effective) than others, and this could influence the undergroundtrading of MS Office exploits. These were my thoughts until yesterday,when I found a bizarre program on a Chinese Web site. The Chinese nameof this program means “2007 Doc Binder”, and after further analysis Idiscovered that it’s a kind of toolkit that’s able to generate MS Wordsamples that exploit the CVE-2006-6456 vulnerability.
The attacker has only to bind an executable such as Backdoor or anInfostealer trojan, and the tool will do the rest. It will create amalicious MS Word file that can drop and run the chosen .exe file. Noneed to analyze buffer overflows, find return addresses, or programcomplicated shellcode. Zero knowledge, maximum result, and minimaleffort. Using this tool, an attacker could potentially generate severalvariants of malicious documents in a few minutes and spam them outimmediately, which is probably happened in the attack that we reportedon January 30th on our blog.
We observed that the samples generated by this tool have the shellcodelocated usually around offset 0x16730. The shellcode starts with themagic value of “C!29” (0x43213239), which is a kind of static markerused by the exploit. The executable is encrypted with a trivial XOR andis appended at the end of the .doc file. The generic detection for theTrojan.Mdropper.X family is currently detecting all the files generatedby this tool. However we spotted some recent samples patched manuallyto evade AV detections, probably generated by newer versions of thistool, which likely is not the only one.
If the number of Trojan.Mdropper.X samples continues to rise in nextfew weeks, it would probably be more correct to speak of“not-so-limited targeted attacks” in the future.
It’s worth mentioning that CVE-2006-6456 was patched by Microsoft in February with the MS07-014 bulletin, which is available here.