E-mail attacks target unpatched Word hole

Antivirus companies and the SANS Internet Storm Center (ISC) issued a warning Friday about sophisticated e-mail attacks that are using a previously unknown hole in Microsoft Word to infiltrate corporate networks.

On Friday, Symantec raised its Internet threat rating, citing confirmation of attacks using an unknown hole in Microsoft Word were being used to compromise computers on the Internet. The warning came as monitors at ISC detailed “limited targeted attacks,” originating from China and Taiwan, against an unnamed company that used Word attachments to install Trojan horse programs on corporate networks.

Symantec warned subscribers to its DeepSight Threat Management Service that it had confirmed reports of active exploitation of a hole in Microsoft Word 2003. The attacks use Word document attachments in e-mail messages to trigger the security hole and run code that gives attackers control over vulnerable systems, Symantec said.

The hole caused Microsoft Word 2000 to crash but did not allow remote attackers to run “shell code” that can be used to control the machine following exploitation, Symantec said.

Few other details were available about the hole Friday, however. Symantec said that attacks using the Word hole were “limited” and “against select targets,” according to a DeepSight alert message.

According to a post on the ISC’s blog, the attacks are from China and Taiwan. ISC has traced communications from infected machines back to servers and Internet domains registered there. Text embedded in the malicious files are also written in Chinese, ISC said.

Researchers at Sophos PLC, an antivirus firm based in the UK, said they were also tracking the malicious Word file, which is being used to distribute a Trojan horse called Oscor-B. That program was designed to give malicious hackers remote access to infected computers, wrote Graham Cluley, a senior technology consultant at Sophos, in an e-mail message to InfoWorld.

Sophos will be issuing protection against it Friday, said Cluley.

F-Secure calls the Trojan “W32/Ginwui.A“, said Mikko Hypponen, manager of anti-virus research at F-Secure in Helsinki, Finland.

“We have seen malicious Word documents using similar or the same vulnerability in the past, but they have only worked on Chinese language versions of Word…This new version works on English language versions of Word, so there is obviously the potential for the attack to have a larger potential audience of victims,” he wrote.

The attacks detailed by ISC are part of a “much bigger problem,” Hypponen said.

F-Secure has been tracking a series of sophisticated, very targeted attacks against large European corporations in recent months. All have used malicious Word file attachments to install malicious programs on corporate networks. The attacks, sometimes referred to as “spear phishing” attacks, use e-mail messages that appear to come from within a company, with spoofed sender addresses and even faked corporate letterhead information.

The messages are sent to employees within the company, who are tricked into opening the attachment, believing it comes from a colleague, Hypponen said.

Microsoft Word and other Office applications are a good target, because they are ubiquitous on corporate computers, and because companies often patch them far less frequently than the Windows operating system itself, he said.

“Its not unusual to have a fully patched Windows system running a version of Word that hasn’t been patched for a year or more,” he said.

Symantec advised customers to block Microsoft Word document attachments in e-mail and said users should use “extreme caution” when they receive an unexpected Microsoft Word attachment.

Until signatures are developed for the latest Word exploit, gateway and desktop antivirus software will not be able to detect it. However, attacks that use older exploits should be stopped by most antivirus products, Hypponen said.

Attacks that target applications are becoming more common. This marks a change from recent years, in which the most dangerous attacks and worms focused on vulnerable operating system and network services such LSASS (Local Security Authority Subsystem Service), RDP (Remote Desktop Protocol), and others.

In March, Microsoft patched seven critical holes in the Microsoft Office suite, which includes Microsoft Word, which could have allowed remote code to be run on vulnerable Windows systems.

The latest vulnerabilities in Office applications are different from an earlier generation of threats, like the “Melissa” virus, which used a loosely secured macro programming language in Word to propagate. The new attacks target holes in the applications themselves to take control of Windows systems, which can then be mined for sensitive information or used as “zombies” to send out spam, distribute malicious code or launch denial of service (DoS) attacks.

Companies commonly blocked Word attachments in the days of “Melissa,” but restrictions may have eased in recent years, as Macro viruses faded into the history books and malicious activity shifted elsewhere, Hypponen said.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now