Alert Raised for MS Word Zero-Day Attack

A zero-day vulnerability in Microsoft Word is being used in specific, targeted attacks; the flaw is being exploited to deliver a rootkit-type backdoor that does reconnaissance on an infected machine and reports back to a server in China.

A zero-day flaw in the ubiquitous Microsoft Word software program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers.

Symantecs DeepSight Threat Analyst Team has escalated its ThreatCon level after confirming the unpatched vulnerability is being used "against select targets."

The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail. However, when the document is launched by the user the vulnerability is triggered to drop a backdoor with rootkit features to mask itself from anti-virus scanners.

The SANS ISC (Internet Storm Center) said in a diary entry that it received reports of the exploit from an unnamed organization that was targeted. "The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software," said Chris Carboni, an ISC incident handler tracking the attack.

When the .doc attachment is opened, it exploits a previously unknown vulnerability in Microsoft Word and infects a fully patched Windows system. The exploit functioned as a dropper, extracting and launching a Trojan that immediately overwrites the original Word document with a "clean," uninfected copy.

"As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new clean file is opened without incident," the ISC explained.

Microsoft has been notified and is working with security researchers to investigate the bug.

Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs, said the attack "feels like espionage, perhaps industrial."

After looking at a sample of the malware code, Thompson said the backdoor is programmed to call back to a server in China to report information about what the infected system looks like.

In addition to providing reconnaissance, the backdoor can connect to specified addresses to receive commands from the malicious attacker.

Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

The ISC said the attack was traced to the Far East, with domains and IP addresses associated with the Trojan registered in China and Taiwan. "The [attack] e-mails received originated from a server in that region. The attackers appear to be aware that they have been outed, and have been routinely changing the IP address associated with the URL above," the Storm Center said.

Symantecs DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. "Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment," company officials said.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.