Within the last 24 hours, Security Response has discovered a newattack which exploits a previously undocumented vulnerability inMicrosoft Word. The malicious Microsoft Word document is emailed to thevictim as an attachment, and upon being opened, it installs an embeddedTrojan horse program we are calling Trojan.Mdropper.H.
Thedropper Trojan then installs a backdoor, Backdoor.Ginwui, which binds acommand shell for allowing remote access to the victim machine by theattacker and contacts a remote web server via HTTP. Both the source andthe target of the attack were based in Asia. The Web site thatBackdoor.Ginwui was contacting every minute via HTTP POST commands hasbeen taken down, though the IP addresses were being juggled by theattacker.
Security Response has seen a number of attacks like this of late andit really serves to underscore the new threat landscape we’re dealingwith today. Here’s a few of the signs of the time illustrated by thislatest attack.
In contrast to widespread threats like Nimda and MyDoom, we nowoften see Trojans that are created for a specific victim. As opposed toa generic enticement (“Check out Anna Kournikova!”), the email messageis personalized to the audience (“Hey Dave, I know you’re interested inSCUBA diving. Saw this photo of a shark and thought of you”). Customthreats like this will never be as virulent as something like theMelissa virus, but they can be so well-crafted that they may sneakunder the radar of even a sophisticated user.
The Microsoft WMF vulnerability set an ominous tone for 2006 as itwas discovered when it was being exploited in the wild. The same ideaapplies here: an undocumented vulnerability that is only discoveredafter it is already being exploited. A key difference between the twois that the Microsoft WMF vulnerability was being exploited on a widescale, whereas this vulnerability does not appear to be exploitedbeyond a targeted attack. The current attack is much lower risk, unlessyou’re the unfortunate soul who is the victim of the “just for you”exploit. From WMF at the beginning of the year until now, we’veobserved more of these flaws where our analysis of an exploit andmalware reveals a never-before-seen vulnerability.
These zero-days flaws are now being exchanged for cash or othercompensation in the underground and serve to open doors for criminalsand others to steal identities, intellectual property, install adwareand spyware, etc. While the security and software industry in generalhave made strides in proper vulnerability disclosure, these people haveno interest in playing but OIS (or any other) guidelines. Their successis completely dependent on the vulnerability not being disclosed atall.
Backdoor.Ginwui leverages stealth techniques to hide its binaries,keeping them from being displayed in Explorer and after the “dirty”Word document exploit is executed it would display an actual, “clean”Word document upon winword.exe re-starting. As the motivation ofmalware authors’ has shifted from fame to fortune, stealth is now thename of the game. Sometimes this means malware coupled with full-blown,kernel-mode rootkit features, other times we’re seeing fairly basicsleight-of-hand gestures to try and evade detection. Either way,stealth is here to stay.