Zero Day Word Exploit.

Over the weekend a potentially serious nastie has been released which could affect Microsoft Office users. There’s NO fix for the security hole in Office which the virus exploits which makes it more serious than a usual warning.

At this early stage there are all sorts of rumors and supposition flying around. The good news is that the current versions of the nastie are not yet spreading and the anti-virus companies have quickly updated their wares to detect the new threat. The bad news is that that the underlying security flaw is not patched so there’s potential for the same or other virus writers to take advantage of the flaw.

ZERO DAY WORD BUG
It’s being called a ‘Zero Day’ flaw which is geek-speak meaning there’s no patch for the security breach. Microsoft already knew about this problem and is working on a patch for Word. It was intended to release that patch as part of the monthly release (in this case 13 June).

WHAT’S HAPPENING?
A Word document can be infected with a Trojan Horse called Trojan.Mdropper.H, this nastie takes advantage of the un-patched security hole in Word. The Trojan makes it possible to run a new program on your computer, in this case a ‘backdoor’ called Ginwui.

A Backdoor program lets other people take control of your computer.

Ginwui doesn’t do anything bad at first but there’s the potential for backdoor to be used later. Ginwui ‘pings’ a web site so someone knows that the backdoor is installed. Backdoors can be used to track keystrokes on your computer, forward copies of documents, emails or passwords or use the computer to send viruses or spam to other computer users. Having installed the Backdoor a ‘clean’ version of the document is opened so an unsophisticated user might think that there was no infection.

For more details check out the Symantec web site among many others. MDropper: http://securityresponse.symantec.com/avcenter/venc/data/trojan.mdropper.h.html
Ginwui: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ginwui.html

THE INFECTED EMAIL AND DOCUMENT
The known emails that have the infected Word document attachment have the following subject lines: Notice or RE Plan for final agreement

The known infected documents have names like: NO.060617.doc.doc or PLANNINGREPORT5-16-2006.doc

However those are only the currently reported infections, the email subject and document name are easily changed. Filtering on the above text is of little use, proper and updated anti-virus software is better.

WHO IS AFFECTED?
At this stage it seems that only Word 2003 is affected but that’s by no means confirmed. If you have Word 2002 (Office XP) then an infected document is reported to crash Word. It seems the exploit doesn’t work but the attempt will crash Word 2002. Some unconfirmed reports suggest that the same or similar exploit also applies to Excel and Powerpoint files and not just Word. All versions of Windows and Windows Server seem to be at risk from Windows 98 onwards, but this is limited by the fact that Office 2003 will only run on Windows 2000 or XP. The computer needs to be running with administrator privileges which Microsoft likes to present as a mitigating factor but the reality is that most people have those privileges in daily use.

WHAT TO DO?
While Microsoft has yet to patch the underlying security hole, the anti-virus companies have moved with their usual speed to add detection for the new nasties. If you grab the latest updates for whatever anti-virus software you use then it should detect any incoming infected documents. In this case ‘latest’ means an update released on 19 or 20 May 2006 or later.
As always, be careful of any files you receive via email regardless of who appears to have sent them.
Check incoming files with updated anti-virus software at all times.

NO ANTI-VIRUS PROTECTION?
You may see some media reports saying there is no protection against this infection. This is NOT true as we write this. All the major anti-virus companies have updated their virus definitions to cope with both the trojan and backdoor. The ‘no protection’ reports seem to be either ‘old’ stories, which in this case means only a day or two ago. Other media copy from those early reports without checking and so the idea of ‘no protection’ spreads. In the very early stages the anti-virus companies had not updated their virus definitions but that has now happened. Most updates were out on 19 or 20 May. In some cases the articles don’t seem to understand the difference between the underlying security hole in Word (which isn’t yet patched) and the Trojan which exploits the hole (which is detected by updated AV software).

IS IT SPREADING?
At the time of publication this nastie had only been detected in some limited areas. Symantec says it was found in a Japanese government office. The text in the known infected Word document refers to a treaty between China and Japan. The backdoor reports back to IP addresses and domains registered in mainland China and Taiwan. The current infection doesn’t include any automatic method of distributing copies of itself. As regular readers might recall, many viruses these days ‘farm’ addresses from an infected computer to send copies of the infection to other computers. The current Mdropper/Ginwui combination does NOT do that. That explains why this particular nastie hasn’t spread quickly. But with a new Trojan that only recently updated AV programs will detect, there’s plenty of potential for the virus to spread. An unpatched and known exploit in Word is a strong lure for virus writers to take advantage before Microsoft patches the hole. So it’s possible we’ll see other infected documents that take advantage of the same security lapse.

Source…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: