|  |
MessageLabs Stops New Zero-day Targeted Email Attack and Uncovers New Microsoft Word Vulnerability
MessageLabs proactive heuristic anti-virus engine Skeptic detected and stopped a new targeted email attack which exploited a new, previously unknown, Microsoft Word vulnerability. This attack was different to previous attacks stopped by MessageLabs and did not fit with the techniques used by previously identified targeted attack senders.
MessageLabs recommends all email users outside the MessageLabs network do not open documents from untrusted sources and use extreme caution even when opening documents from trusted sources.
This attack used a new, previously unknown and unannounced, zero-day vulnerability in Microsoft Word. Although, the attack itself only lasted four seconds and consisted of three copies of the same malware sent to very specific people in high-profile organizations, undetected copies could compromise the security of the targeted organizations. The attack appears to be designed to access confidential information through the victim’s computer.
In this instance, the attack emails originated from a Yahoo email account which the attacker unusually accessed through webmail from a mobile device CDMA link to further hide his identity.
Detection of this attack was only possible due to highly sophisticated heuristic rules MessageLabs is able to put in Skeptic working in a fully managed environment with a global view of all threats and email traffic.
The content of the emails focused on current issues in Iran and questions around its nuclear program and appeared to be highly targeted to the recipients to appear trustworthy. The email contained an attachment called "Rapid Response issues.doc," which contained the malware exploiting the new zero-day unannounced Word vulnerability.
The vulnerability would then cause MS Word to drop an executable file, executing it and exiting. The executable file, when executed, then drops another, now clean, word document with a similar name to the original file, and another executable file. The dropped clean word document is then opened and it indeed contains some text about the political situation around Iran allowing the recipient to think that nothing unusual has happened. However, the dropped executable file gets executed by a dropper. After that, it remains resident in memory and does a number of malicious actions, including waiting for remote commands sent to another email address, checking a particular web address - possibly, for updates, or for getting remote commands - and gathering information about the system it is executed on. When specific information about the system is collected, it sends it to a particular email address.
Over the past eighteen months MessageLabs has been tracking three gangs of criminals actively involved in similar industrial espionage attacks; however this particular attack does not fit any of the known patterns, and is likely to be from a new group of criminals entering the field of electronic industrial espionage.
Following usual procedure in such circumstances, MessageLabs alerted the wider security community to the attack and the new vulnerability by sharing samples of the malware used in this attack. These vendors will likely develop and issue a signature for this attack over the coming days and take steps to alert their customers. MessageLabs clients are and were fully protected from this attack from its first copy and are protected from all new targeted attacks going forward. 11.12.2006, MessageLabs
Subscribe to the newsletter | | |
| | | |
