Zero-Day Attackers Target Japanese Word Processor

Microsoft Office isnt the only word-processing software at risk of zero-day hacker attacks.

According to a warning from anti-virus vendor Symantec, attackers are exploiting a previously undocumented vulnerability in Ichitaro, a word processor produced by Justsystems, a Japanese software company.

Ichitaro, which is widely used by central and local governments as well as educational institutions in Japan, is the main product sold by Justsystems.

Symantec virus researcher John Canavan said in an advisory that attackers were using maliciously rigged documents to exploit a unicode stack overflow in the software to execute code on the underlying operating system.

He said the attack included the use of a Trojan horse named Infostealer.Papi, which is used to spy on the target system and relay information back to the attackers.

/zimages/2/28571.gifTo read more about an upsurge in flaws in Microsoft Office applications, click here.

The Ichitaro attacks closely resemble the recent wave of zero-day attacks against Microsoft Office programs and suggest that corporate espionage may be the main motive.

Over the last three months, malicious Office documents have been used in targeted attacks against Microsoft Word, Excel and PowerPoint users. In all three cases, the attackers used reconnaissance Trojans capable of hijacking sensitive data from the target.

In the Ichitaro case, Canavan said that the Infostealer.Papi Trojan is put on the machine by Tarodrop, which comes in via the software flaw.

The Trojan copies itself to the system directory, creates a service named CAPAPI and drops an ancillary DLL file that contains its main functionality, Canavan explained.

“A copy of its DLL is then injected into each running process to gather system information and relay it back to the Trojans authors at pop.lovenickel.com. Similar to Trojans dropped by variants of the Trojan.Mdropper family, this domain is registered in China,” he added.

According to the Symantec advisory, the threat remains “a very limited, targeted attack.”

“However, if the speculations about the timed releases of these exploits are indeed correct, we need to be on alert and remain vigilant for when more appear,” Canavan warned.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.