MS Word: The Bug, the Exploit, the Attack

[Symantec]

MS Word: The Bug, the Exploit, the Attack
<p>MS Word is under scrutiny again this month. We have some new and interesting details about the vulnerability reported by Microsoft on December 5 (referenced by CVE-2006-5994). The story shows how the road from a simple bug to a working exploit is short and sometimes unpredictable.</p>

<p>This morning we analyzed some new samples that had been detected as <a href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121214-0359-99">Bloodhound.Exploit.106</a>, which is a new heuristic detection released yesterday for the Microsoft Word zero-day vulnerability (described in <a href="http://www.microsoft.com/technet/security/advisory/929433.mspx">Microsoft Security Advisory 929433</a>). Among the submissions received from our customers we found a Word file that turned out to be a little gem.</p>

<p>We found a malicious Word document that was written in Portuguese and added detection for it as <a href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121311-5725-99">Trojan.Mdropper.T</a>. The document contains an exploit that drops an executable file, which then installs a downloader threat and opens a clean Word document in an Asian language with some strange predictions about the future. The downloader then downloads a keylogger/infostealer. Detections for all of this malicious code are included in today's certified definitions.</p>

<p>This behaviour is quite ordinary for attacks involving the use of unknown vulnerabilities. However, digging a little deeper, we discovered a copy of the same Portuguese document publicly posted as part of the QA test results of a free word processing application (that is compatible with Microsoft Word). The original .doc file, which was clearly flagged as malformed and capable of crashing Word, was posted in early November.</p>

<p><a href="http://www.symantec.com/enterprise/security_response/weblog/upload/2006/12/MSWordzero-day_fig1_lrg.html" onclick="window.open('http://www.symantec.com/enterprise/security_response/weblog/upload/2006/12/MSWordzero-day_fig1_lrg.html','popup','width=746,height=552,s crollbars=no,resizable=no,toolbar=no,directories=n o,location=no,menubar=no,status=no,left=0,top=0'); return false"><img src="http://www.symantec.com/enterprise/security_response/weblog/upload/2006/12/MSWordzero-day_fig1_sml.jpeg" width="370" height="274" /></a><br />
<strong>Figure 1</strong></p>

<p>The Portuguese document and the malicious one that we detected as Trojan.Mdropper.T are almost identical (figure 1), but the second one was reworked to achieve code execution. The original document is publicly available on a number of Web sites, so we suspect the malicious code writers may have stumbled upon it and used it as a "template", transforming an innocent bug into a working exploit. In fact, the final malicious Word file contains an encrypted shellcode (probably generated using the Metasploit suite) and a malicious executable file.</p>

<p>The writers then proceeded to spam it to users in Asia. If the unsuspected user opens the document, they won't see the actual Portuguese text, but instead those wacky predictions. However, in the background all the keys they press are being logged and sent to the attacker.</p>
http://www.symantec.com/enterprise/security_response/weblog/2006/12/ms_word_the_bug_the_exploit_th.html
http://www.symantec.com/enterprise/security_response/weblog/2006/12/ms_word_the_bug_the_exploit_th.html
Wed, 13 Dec 2006 09:45:00 -0800