RealTime IT News

Word Attack Hails From China

If Microsoft Windows users need another reason not to open e-mail attachments, hackers are exploiting a zero-day vulnerability in Word 2002 and 2003.

Hackers are using a new and un-patched vulnerability in Word to create a Trojan posing as an official document from co-workers.

Once opened, Trojan.Mdropper.H installs a backdoor giving malicious hackers control of a Windows system, according to Symantec, one of the security firms warning users.

Microsoft said it will include a patch for the vulnerability June 13, as part of its usual monthly security notice release.

"So far, this is a very limited attack, and most of our antivirus partners are rating this as 'low,'" Stephen Toulouse, manager of Microsoft's Security Response Center program, wrote on the company's blog.

Noting a user would need to open the Word file for the exploit to work, the information "isn't meant to say the issue isn't serious," according to the blog posting.

The software company said it has been working with a "couple customers thus affected." However, Microsoft will investigate any variants it might find.

While Microsoft points to just a couple of customers hit by the Trojan, that could quickly change, according to security firm Secunia.

"Currently it appears that the vulnerability is only exploiting in small targeted attacks," said Thomas Kristensen, Secunia's CTO. However, it is "certainly possible" to create an exploit released on a much broader scale, according to Kristensen.

How can users spot the Trojan? Microsoft's Toulouse says two common e-mail subject lines are "Notice" and "RE Plan for final agreement."

Microsoft is also recommending, along with using caution when opening e-mail attachments, that Windows users limit admin privileges.

But the SANS Institute believes Windows users should simply stop opening untrusted Word documents.

The exploit "almost certainly is from China," said Johannes Ullrich, SANS chief researcher.

While some believe the first report of this exploit being seen in the "wild" was at a Japanese government department, Ullrich said SANS bases its report on an attack of a U.S. defense contractor.

This is the first Trojan sent to a government agency that SANS can share with the public, although it's received other reports, according to the researcher.

The attacks resemble those from a group of Chinese hackers known as "Titan Rain," the researcher told internetnews.com.

Zero-day vulnerabilities are not limited to new software, the SANS research said. "Sadly, even old software like Windows or Office still contains plenty of bugs to be found."

SANS, which earlier this month reported that zero-day attacks are on the rise, noted other shifts in software security, including a move away from usual targets and a decision to seek out security flaws that might be new and therefore less known.

"Hacking is not about getting your 15 minutes of fame anymore, Ken Durham, a director of rapid response for Dulles, Va.-based IDefense, told internetnews.com. "Cybercrime is a multi-million dollar global business."