Zero-day ( 0-day) Microsoft Word exploit



There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that’s dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit file dropped as of yesterday, although it’s looking like f-secure now has detection and I would suspect other AV vendors.

Essentially, one organization reported in to incidents that they were receiving emails with MS Word attachments. One user noticed that a domain name in the email wasn’t exactly correct…


“Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system). The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a “clean” (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new “clean” file is opened without incident.” They are working with Microsoft on this.

It looks as though it gives a thorough once over of the system settings, patch status, etc when it’s dropped.

I remember not too long ago reading about the market for zero-day exploits. There are, of course, unpublicized flaws in many applications that are also unpatched. It pays to be alert. In this case – suspicion of any email attachment would be one of the first lines of defence.

F-secure has tagged the trojan as Ginwui.A

according to them…

Ginwui is a fully-featured backdoor with rootkit features. This backdoor was distributed inside a document file with a shell-code that dropped the backdoor’s file to a hard drive and activated it.

It creates a registry key…
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs” = “%WinSysDir%\winguis.dll”

drops CSRSE.EXE into the temporary folder and uses that to drop WINGUIS.DLL into the windows system folder.

After infection it attempts to connect to a site to allow the cracker remote access… the following capabilities seem to exist…

create, read, write, delete and search for files and directories
access and modify the Registry
manipulate services
start and kill processes
take screenshots
enumerate open windows
create its own application window
get information about infected computer
lock, restart or shutdown Windows
create a pipe and read files from it
start a remote command shell
enumerate network resources

also it apparently creates three empty sys files in the drivers folder of Windows/System32

Update –2pm edt 5/19/06–
Sans has pointed out that the word file in question now is detected by Mcafee as Exploit-OleData.gen – there are no real details in McAfee’s database yet though.

Update –3pm edt 5/19/06–
Another update here – looks like McAfee has detail on the dropper which they’ve named BackDoor-CKB!cfaae1e6. Also, Symantec has entries for the both the backdoor ginwui (backdoor.ginwui) and the dropper word document file ( Trojan.Mdropper.H ). They’re all calling this a low threat (level 1 depending on the vendor). I’d like to point out that it’s usually given a low threat when 1) it’s not widespread and 2) it’s something that requires user intervention (in this case opening an attachment.)

Unfortunately those numbers can make it seem as though this is not a serious concern. Obviously there aren’t copies of this “all over”, but be cautious, the first notice was a targeted attack on an organization. It was certainly a high risk piece of malware.

–update 5:15 EDT 5/19/06–

The Seuciryt Fix has coverage of the Zero-day Word Exploit now. Also, Microsoft has a mention of it ont heir security Blog. It sounds as though using the Word viewer will not get you into trouble in this instance, the flaw seems to affect Word XP and Word 2003. There is work underway on an Office update.

Of course, it does require the opening of an attachment. As always be suspicious of unexpected attachments, some security policies would block attachments period. Sans is recommending a number of ways to deal with the zero-day including the possible substitution of OpenOffice until there’s a patch. (Not their only suggestion obviously.) Limiting user priviliges is a HIGHLY recommended way to protect against this sort of thing as is education about verifying that attachments are from who they say they are. If it’s unexpected – call(? did you send me…..?)

Secunia has given the vulnerability a high rating (extremely critical).

Further, Brian at the Security Fix notes that targetted attacks like the way this started are becoming INCREASINGLY common. One of the “advantages” for a hacker about a targeted attack is that it could possibly be “under the radar” of large antivirus firms. Therefore it’s more effective – use a previously unknown exploit and make judicious use of it. (As opposed to – broadcast a mass mail to half the known world using an unkown exploit and it gets fixed tomorrow/next week/etc. Even when this vulnerability is fixed, it pays to be suspicious and to doublecheck on the source of unexpected attachments.

And for expecting the fix on this, you might want to make sure you’re setup to use Microsoft update as opposed to Windows Update – Microsoft update will carry office product fixes as well as core OS fixes. In this case, If you use Windows update, you will likely not receive this fix when it comes out. The Microsoft patch for this zero-day (0-day) exploit in Word is not expected until June 13th.

— update 5/25/06–

Sorry, updates have been a bit slow on this…

The current bulletins disregard Word 2000 and suggest that ONLY Word 2003 and Word 2002(XP) are vulnerable. I saw a report that Microsoft may release early “if warranted”…. ok… outside of that one of the official recomendations seems to be to run word in safe mode…. This involves, disabling Word as Outlooks message editor (In Outlook – Tools, Options, Mail Format – clear the 2 boxes for using Word to edit messages and read rich text messages.) Next, to run word in safe mode, /safe needs to be put at the end of the command to run word. SO, for instance if you have a desktop icon, it can be turned into a “safe mode” icon by rightclicking and going to properties, finding winword.exe and adding /safe after it so that it appears like this…. c:\program files\…\winword.exe /safe

OR you can start Word from the Start… Run menu by just typing “winword /safe” (without the quotes).

There are other limitations to safe mode of course, so the usefullness of this for you may vary. It would prevent the exploit from working though if a suspect file were opened with a “safe mode” copy of Word. (Clicking on the attachment icon though would likely open “normal mode” word. So, this isn’t the best workaround for ALL without making winword.exe /safe the default handler for all .doc files (I’m almost certain that could be done with a registry edit.)

   Send article as PDF   

Similar Posts