Snipers from Southeast Asia
by Jose NazarioIn 2006 we saw an increase in the number of attacks targeting Windows, specifically MS Office, file formats. We’ve seen some also attack WinAmp and other media players, and even a few targeting AV software and file formats, but MS Office appears to be the main target of interest. Indications show that hundreds of such attacks are lurking in Office, and are being slowly revealed by attackers, who are doing their own research. Others have blogged about this, such as on the Symantec Security Response Weblog. This is going to continue for a while, start looking at MS Office security steps sooner rather than later.
Suffice it to say, Office documents represent a great breeding ground for such attacks. They provide rich functionality, enabling linked content and actions inside a normal document, and on the human side they represent a great social engineering vector. This is, by all accounts, going on. 2006 saw these Office flaws sometimes paired with very targeted, very specific and high power attacks, sometimes to great effect. In these cases the adversary appears to profile the organization and carefully craft a few messages (and documents) to select individuals. This provides the attacker with three things:
- The right victim if you’re interested in highly sensitive information
- Limited detection capabilities and a limited chance to draw attention to your attack, after all you’re working with a 0-day here!
- Finally, with properly crafted messages, specific to the individual, you have a higher chance of them viewing it (and launching the exploit)
The bad guys know this and they’re slowly revealing their Microsoft Office bugs this way, choosing very specific targets and sending only a handful of messages. This makes detection slower than normal as people try and understand the attack. The document has often been carefully crafted to drop a small executable that downloads a new payload. In most cases these guys aren’t using stock malware, but they are using some techniques and approaches that aren’t unique (but not too common). All of this is exactly what you would expect from a 0-day, and all of it is designed to avoid signature-based detection and even having a chance to alert your security provider.This sort of attack will continue, and it will continue to come from determined adversaries who are talented and doing their own vulnerability research, and it will continue to be very targeted. There’s no shortage of bugs, no shortage of reasons to commit these attacks (corporate espionage, state espionage, etc), and clearly no shortage of talent at operationalizing these.
The latest attack, as described by the MSRC blog, is a continuation of this MO: a new MS Word vulnerability, dropped malware, and only a handful of targets. This attack drops a downloader, which grabs another file. The downloader in at least one case modifies the registry to keep itself available.
So far the good news about these attacks is that millions may not really be threatened. The actual vulnerability details are held pretty quietly right now, and operationalizing them appears to be difficult for many garden variety attackers (as opposed to setSlice() or the WMF setAbortProc() attacks). However, the timing is something else we’ve been seeing for a while, released to avoid being patched immediately de to MS’s patch release cycle. No word on when this one will be patched.
Our new ATF policy for Download.Sniper detects it. The policy looks for the traffic generated by the file dropped by the malicious documents as they hit servers either in China or Korea (depending on the document). We’ll continue to watch this one and see how we can further improve this detection, of course. AV detection is limited but growing. Currently the malicious files grabbed by the downloader are still on the website.
