Almost a year has passed since we last blogged about a new undocumented vulnerability in JustSystems’ Ichitaro software and along with the ever stunning new pink and white blossoms of spring, 2010’s first offering has surfaced. As we have reported on several occasions over the years (see below) Ichitaro is a popular word processing program in Japan.
Justsystem's Ichitaro zero-day used to propogate Trojan (August 16th, 2006)
New fiscal year in Japan, new zero-day in Justsystem's Ichitaro (April 7th, 2007)
Unknown Exploit Compromises Ichitaro (August 2nd, 2007)
Zero-day Vulnerabilities: Following the Trailblazers (December 13th, 2007)
New Ichitaro Vulnerability Right on Cue (March 17th, 2009)
This time around, the specially crafted Ichitaro word document creates files in both the %Temp% and %System% directories, in addition to creating and opening a file (this one in the %CurrentFolder% folder) that appears to be a template for a Japanese resume:
The harmless blank resume will be seen by the user but the creation and presence of the three malicious files is of course hidden from view. One of the three files attempts to open a back door on the compromised computer connecting to the domain japan003.myfw.us via TCP port 11229. If the back door is opened successfully, the threat is then capable of downloading and executing a file or files from a remote location. It’s worth noting that japan003.myfw.us is hosted on a server in Taiwan even though the hostname implies it is located in the United States.
Additional details can be found in the Trojan.Taradrop.I write-up.
We are working closely with JustSystems on this issue and they have informed us that a fix is now available. We recommend that Ichitaro users apply this patch as soon as possible. This patch is for Ichitaro 2010, Ichitaro 2009 and Ichitaro Govenment 2009. Patches for Ichitaro 2010 Trial Version, Ichitaro 2008, Ichitaro Government 2008, Ichitaro 2007, Ichitaro Government 2007, Ichitaro 2006, and Ichitaro Government 2006 are currently under development.