New Zero Day Attack Targets Word Users

The attack, which was reportedly discovered by VeriSign's iDefense , is successful against Microsoft Word 2003, according to Symantec. iDefense reports its testing shows the attack is successful against Word 2002 as well. It also crashes Word 2000 and Word XP, but does not compromise the computer in those cases.

So far, the attacks have been limited to select targets; Symantec reported only one known attack. "However, with the disclosure of this previously unknown vulnerability, new attackers may begin to exploit it in a widespread manner," Symantec said.

Attack Scheme

Zero day flaws are vulnerabilities for which no patch exists. This particular attack, which Symantec is labeling Trojan.Mdropper.H, is launched with an e-mail that offers an attached file that appears to be a Word document.

When the recipient opens the document, it executes a Trojan, then installs malware dubbed "Backdoor.Ginwui" on the PC. The backdoor installs a rootkit to hide itself and makes room for a hacker's dirty work. Symantec reported that Ginwui gathers system information, gives the attacker access to the cmd-exe shell, and transmits screenshots to the hacker.

"There are some embedded objects and hostile content that's put inside of this downloaded Word document. If a user double clicks on it, then it will then cause your Microsoft Word application to display errors and freeze up. Meanwhile, in the background, malicious code of choice is being installed," iDefense Senior Engineer Ken Dunham told TechNewsWorld.

Stealthy Rootkits

iDefense reported finding two hostile doc files associated with this attack. One of them, the rootkit, is extremely stealthy. In fact, Dunham said traditional programs like Rootkit Revealer and Blacklight do not detect the attack, which was developed by an individual who goes by the screen name of Wicked Rose.

While most attacks today are motivated by money, this zero day attack is being leveraged for specific, yet unknown, purposes. The attackers are hoping to get unauthorized access to particular networks. These attackers, Dunham added, know plenty about their targets and are quick to leverage successful attacks.

"The actual exploit causes your Word application to crash," Dunham said. "So as a result, it's very noticeable. It would require the attacker to formulate a rapid response to it. That certainly is within the means and capabilities of these attackers."

Mitigating the Risk

Symantec recommends training employees not to open attachments unless they are expecting to receive them. It also warns not to execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Some companies are choosing to block all Word files and or Office documents, according to Dunham. Companies may also want to block against the known domains that have been used. The attacks are related to 3322.org and scfzf.xicp.net domains.

"Prevention is key. Indications are that a patch should be coming out by the next Patch Tuesday or sooner. This is not considered to be a major threat for everyone, but it is a threat for whoever is targeted by these attackers," Dunham concluded.