In the early part of this year, W32.Blackmal.E@mm and OSX.Leap.A received near blanket coverage from the technical media. W32.Blackmal.E@mm was a mass-mailing worm with two particular features that ensured it quickly became a focus of attention. When run, the worm would execute a Web-based php script, which was intended to function as an infection counter. Cue the daily tech-blog updates: "Clock ticking for Nyxem virus" (Slashdot), "Blackworm worm over 1.8 million infestations and climbing" (Sunbelt). Even the fancy animated .gifs of a counter shot up from 398,000 to 440,000 in seconds (F-Secure). Couple this with the fact that the worm was programmed to delete files with a number of common extensions on the third of the next month, and there's a storm a brewin': "Kama Sutra...
In recent months, we have seen a number of zero-day Microsoft Office exploits used to drop Trojan horses on affected systems. The release of the exploits had been timed so that when Microsoft released their patches, a zero-day exploit surfaced the next day. The timing of these releases was noted by Symantec Security Response and it was speculated that the people behind these exploits had discovered multiple vulnerabilities in Microsoft Office and were holding back on releasing them, in order to maximize the time-to-patch for each of their finds.
Today, we have seen another targeted attack on a document editing suite; however, this time around it is Justsystem's Ichitaro. Ichitaro is a word processing program widely used in Japan.
The malicious document uses a unicode stack overflow to execute its code on the system, dropping and executing a Trojan horse named Backdoor.Papi. When run, Backdoor.Papi copies itself to the %system% directory, creates a service named CAPAPI...
