Alert Raised for MS Word Zero-Day Attack(最新漏洞情况报告)

原创 2006年05月24日 13:18:00
 zero-day flaw in the ubiquitous Microsoft Word software program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers.

Symantec's DeepSight Threat Analyst Team has escalated its ThreatCon level after confirming the unpatched vulnerability is being used "against select targets."

The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail. However, when the document is launched by the user the vulnerability is triggered to drop a backdoor with rootkit features to mask itself from anti-virus scanners.

The SANS ISC (Internet Storm Center) said in a diary entry that it received reports of the exploit from an unnamed organization that was targeted. "The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software," said Chris Carboni, an ISC incident handler tracking the attack.

When the .doc attachment is opened, it exploits a previously unknown vulnerability in Microsoft Word and infects a fully patched Windows system. The exploit functioned as a dropper, extracting and launching a Trojan that immediately overwrites the original Word document with a "clean," uninfected copy.

 

"As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new 'clean' file is opened without incident," the ISC explained.

Microsoft has been notified and is working with security researchers to investigate the bug.

Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs, said the attack "feels like espionage, perhaps industrial."

After looking at a sample of the malware code, Thompson said the backdoor is programmed to call back to a server in China to report information about what the infected system looks like.

In addition to providing reconnaissance, the backdoor can connect to specified addresses to receive commands from the malicious attacker.

Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

The ISC said the attack was traced to the Far East, with domains and IP addresses associated with the Trojan registered in China and Taiwan. "The [attack] e-mails received originated from a server in that region. The attackers appear to be aware that they have been 'outed,' and have been routinely changing the IP address associated with the URL above," the Storm Center said.

Symantec's DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

相关文章推荐

方式程0day MS17-010远程溢出漏洞测试

最近那个WannaCry勒索病毒搞的沸沸扬扬,据了解该病毒利用了方程式泄露的0day MS17-010(永恒之蓝)进行传播。 据说这个漏洞是支持winxp-win2012,测试一下这个漏洞到底如何。 ...

MS12-043(CVE-2012-1889)漏洞分析报告

MS12-043(CVE-2012-1889)漏洞分析报告   软件...

南方数据编辑器southidceditor最新注入0day漏洞

1.注入点:news_search.asp?key=7%' union select 0,username%2BCHR(124)%2Bpassword,2,3,4,5,6,7,8,9 from a...

Struts 2最新0day破坏性漏洞(远程任意代码执行)等的重现方法

Struts 2的远程任意代码执行和重定向漏洞,是这两天互联网上最重大的安全事件,据说国内互联网企业中,很多电商纷纷中招,应该已经有大规模的用户隐私泄露。这里我们简单总结下怎样在自己机子上重现这些漏洞...

最新Java 0day漏洞分析及EXP下载

FireEeye在8月27日发布了一个新的java 0day的一些相关信息,该漏洞影响浏览器的JRE[1.7.x]插件,影响非常大,攻击者可利用该漏洞进行挂马攻击。在捕获的样本中发现使用了Dadong...
  • god_7z1
  • god_7z1
  • 2012年09月02日 03:32
  • 449

(最新)移动App应用安全漏洞分析报告 !

漏洞扫描方式主要分为静态和动态,静态扫描的漏洞类型主要包含SQL注入风险、webview系列、文件模式配置错误、https不校验证书、database配置错误等。动态扫描的漏洞类型主要包含拒绝服务攻击...

JDBC for MS 最新驱动程序

  • 2007年11月11日 01:26
  • 355KB
  • 下载

网易视频云:HTTP Slow Attack 科普和 Apache DOS 漏洞的修复

网易视频云是网易倾力打造的一款云服务产品,提供稳定流畅、低时延、高并发的视频直播、录制、存储、转码及点播等音视频的PAAS服务,在线教育、远程医疗、娱乐秀场、在线金融等各行业及企业用户只需经过简单的开...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Alert Raised for MS Word Zero-Day Attack(最新漏洞情况报告)
举报原因:
原因补充:

(最多只允许输入30个字)