Alert Raised for MS Word Zero-Day Attack(最新漏洞情况报告)

原创 2006年05月24日 13:18:00
 zero-day flaw in the ubiquitous Microsoft Word software program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers.

Symantec's DeepSight Threat Analyst Team has escalated its ThreatCon level after confirming the unpatched vulnerability is being used "against select targets."

The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail. However, when the document is launched by the user the vulnerability is triggered to drop a backdoor with rootkit features to mask itself from anti-virus scanners.

The SANS ISC (Internet Storm Center) said in a diary entry that it received reports of the exploit from an unnamed organization that was targeted. "The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software," said Chris Carboni, an ISC incident handler tracking the attack.

When the .doc attachment is opened, it exploits a previously unknown vulnerability in Microsoft Word and infects a fully patched Windows system. The exploit functioned as a dropper, extracting and launching a Trojan that immediately overwrites the original Word document with a "clean," uninfected copy.

 

"As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new 'clean' file is opened without incident," the ISC explained.

Microsoft has been notified and is working with security researchers to investigate the bug.

Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs, said the attack "feels like espionage, perhaps industrial."

After looking at a sample of the malware code, Thompson said the backdoor is programmed to call back to a server in China to report information about what the infected system looks like.

In addition to providing reconnaissance, the backdoor can connect to specified addresses to receive commands from the malicious attacker.

Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

The ISC said the attack was traced to the Far East, with domains and IP addresses associated with the Trojan registered in China and Taiwan. "The [attack] e-mails received originated from a server in that region. The attackers appear to be aware that they have been 'outed,' and have been routinely changing the IP address associated with the URL above," the Storm Center said.

Symantec's DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.

Slow HTTP Denial of Service Attack防御

1、拒绝或丢弃相应url的http的连接
  • zhaozhanyong
  • zhaozhanyong
  • 2014年10月23日 14:53
  • 8681

SSL/TLS Suffers ‘Bar Mitzvah Attack’漏洞检测方法及修复建议

http://www.ijiandao.com/safe/cto/12195.html 0x01 前言 愚人节即将到来,SSL再次因Bar Mitzvah Attack漏洞弄的大家不得安宁...
  • xysoul
  • xysoul
  • 2015年11月27日 14:07
  • 1742

OpenSSL DROWN溺亡漏洞的检测及修复方法

一、漏洞描述: 现在流行的服务器和客户端使用TLS加密,SSL和TLS协议保证用户上网冲浪,购物,即时通信而不被第三方读取到。DROWN(溺亡)漏洞允许攻击者破坏这个加密体系,通过“中间人劫持攻击”读...
  • xuyaqun
  • xuyaqun
  • 2016年03月07日 09:43
  • 3907

(最新)移动App应用安全漏洞分析报告 !

漏洞扫描方式主要分为静态和动态,静态扫描的漏洞类型主要包含SQL注入风险、webview系列、文件模式配置错误、https不校验证书、database配置错误等。动态扫描的漏洞类型主要包含拒绝服务攻击...
  • u011075946
  • u011075946
  • 2014年10月18日 10:42
  • 908

Upnp协议漏洞和Linux堆溢出之fastbin

由于3年前的一个漏洞,今天仍然有610万台设备可被远程代码执行,包括智能手机、路由器、智能电视等,而且这个漏洞早在3年前就已经修复。 该漏洞存在于UPnP™设备的便携式SDK中,也叫做 li...
  • stonesharp
  • stonesharp
  • 2015年12月09日 10:38
  • 1292

SSL/TLS Bar Mitzvah Attack 漏洞 [ 受诫礼(BAR-MITZVAH) ]

关于SSL/TLS最新漏洞“受戒礼”初步报告文章: http://www.freebuf.com/articles/network/62442.html 做了详细的说明。我的业务服务器为Tomcat ...
  • catoop
  • catoop
  • 2015年10月22日 14:55
  • 7151

Openssl漏洞 注意‘FREAK’ SSL 漏洞

概要 法国国家信息与自动化研究所与MS公司发现了通过SSL使强制地降为易受攻击的RSA的漏洞。 ※ CVE-2015-0204 : 作为OpenSSL s3_clnt.c的 ssl3_get_key ...
  • levy_cui
  • levy_cui
  • 2016年04月13日 10:23
  • 277

关于VBA编辑word自动生成报告

关于VBA编辑word自动生成报告 这适合于图比较多,表比较多,并且报告格式单一,但每天需要大量出word报告的情况 -工具使用 -难点 -功能块 参考文件 工具 如图片所示...
  • YuhangZeng_
  • YuhangZeng_
  • 2016年08月02日 20:15
  • 2259

Domino 修复关于sslv3的“贵宾犬”攻击(POODLE)

Technote (FAQ) Question How is IBM Domino impacted by the POODLE attack and what is the so...
  • adeyi
  • adeyi
  • 2014年11月07日 10:00
  • 2536

Slow HTTP Denial of Service Attack

整改建议   1.中断使用URL不支持HTTP方法访问的会话   2.限制HTTP头及包长至一个合理数值   3.设置一个绝对的会话超时时间   4.服务器支持backlog的情况下,需设置一...
  • meiru8
  • meiru8
  • 2014年08月21日 10:16
  • 8213
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Alert Raised for MS Word Zero-Day Attack(最新漏洞情况报告)
举报原因:
原因补充:

(最多只允许输入30个字)