Sign up to our newsletter
A few days ago, I promised (threatened) to make some general points about biasing test results, but travel and other obligations have been getting in the way. I’ll get back to that very shortly, but in the meantime, I want to look at an issue with the latest round of Microsoft patches that I was asked about today.
There have been reports that Microsoft’s very recent MS09-002 patch has been reverse-engineered in order to implement some specific malware attacks. I’m not altogether sure this is the case (the suggestion was made by Bojan Zdrnja in an Internet Storm Center Handler’s Diary entry), though it’s certainly possible. But Bojan himself notes that this vulnerability in Internet Explorer 7 was reported by ZDI back in September, so I’m not sure why he assumes that the bad guys weren’t aware of the vulnerability previously: it’s not only whitehats who spend time on vulnerability research, and there may be no correlation between the timing of the discovery of the exploit and the release of the patch.
The issue concerns HTML/XML downloaders that use the CVE-2009-0075 vulnerability to install a .DLL (Dynamic Link Library) that surreptitiously forwards information from a compromised system to a remote location. The initial distribution is a Word document using an embedded ActiveX object to access a malicious site automatically via a . If the system hasn’t been patched, agent software is downloaded that installs the DLL, which transmits captured data via port 443, and waits for further commands from a remote server.
The enquiry I received suggests an exploit widely found "in the wild." Strictly speaking, it’s a targeted attack: ISC and the media use the term "in the wild" a little more loosely than we tend to use it in the anti-malware industry. Targeted malware can meet the definition used originally by the WildList Organization ("for a trojan to be considered "In the Wild", it must be found on the computers of unsuspecting users, in the course of normal day-to-day operations"), and indeed, this attack fits that definition. However, the term is often used to suggest widespread random or semi-random distribution (through spamming, for instance), and this isn’t the case with a targeted attack.
I’m not aware that any particular group has been named in connection with this malware: however, the web service used suggests a possible link with Chinese hacker groups. The whole modus operandi – an attack targeting individuals rather than using untargeted spamming, and using Microsoft Office documents to execute an exploit – is reminiscent of the Wicked Rose/NCPH attacks of 2006-2007, though not identical.
(We discussed the NCPH group in some detail in chapter 5 of the AVIEN book published by Syngress in 2007. Coincidentally, Bojan was a major contributor to that book: he wrote some excellent material on advanced malware analysis.)
However, I’m not aware of a proven link with Chinese hacker groups. This could just as easily be someone else entirely, synthesising older targeted attack methodologies and botnet C&C strategies, but making use of a recently-publicised vulnerability.
What is evident is that old attacks never die, they just get tweaked to make use of new vulnerabilities and different styles of social engineering, which is still an important part of an attack like this, since the attacker has to persuade the victim to open the malicious document before the automated attack can kick in. Perhaps the other lesson here is that attackers react to new (or newly-revealed) vulnerabilities much faster than most end-users and administrators do.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET