Last Updated: 2006-05-21 18:32:42 UTC
by Swa Frantzen (Version: 3)
LearnLearning lessons from incidents is a very important part of incident handling. Yet with targeted attacks it is very hard as you need to have a case before you can learn. So learning from others is even more important in this case.
Michael reported on an unnamed organization being hit by a limited, extremely targeted attack.
Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn't completely right.
That user detected an email coming in that originated from a domain that looked like their own, but wasn't their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.
In reaction to this reporting we've seen people react to it like it were a widespread thing. We need to stress this is not the case. This kind of attack is new, and so must the response be.
The group originating these attacks does so in a very targeted fashion. The document is crafted to target a specific organization, containing specific elements that deal with just that one organization. If you don't work for them, you are very unlikely to ever see this. Proof of how rare it is, are the number of requests for samples we got from companies like anti-virus vendors.
Chances are really huge you're not targeted, at least not by this exploit. There is so far one group doing (at least) one very targeted attacks with this. Either they need to change their method of operation to do widespread attacks, or some other group would need to get a sample, reverse engineer it, find the core of the exploit, modify it to work in a wider fashion and launch a new attack.
So do you need to dig in now? Most likely not, we suggest you act as if it's any new vulnerability where the details are still very well hidden.
- The one being targeted organization needs specific actions.
- If you are on the potential target list, you need to learn to defend against the unknown, not against this threat.
- If you're not on their target list, chances are you will not see an exploit till Microsoft releases a patch and the knowledge to exploit it can be derived by the hackers.
Panic and blindly taking actions is probably the worst course of action you can take.
ReportTo say it in Michael's words:
"Emails were sent to specific individuals within the organization that contained a Microsoft Word attachment. This attachment, when opened, exploited a previously-unknown vulnerability in Microsoft Word (verified against a fully-patched system). The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a "clean" (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new "clean" file is opened without incident." They are working with Microsoft on this.
"We are still analyzing the trojan dropped by the exploit. What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and "pings" this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows". Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.
We have traced nearly this attack to the far east; specifically, China and Taiwan. IP's seen are registered there, domains seen are registered there, and the emails received originated from a server in that region. The attackers appear to be aware that they have been "outed", and have been routinely changing the IP address associated with the URL above.
Due to the aggravating circumstances (0-day, no AV detection), we wanted to make sure the community is aware that this problem exists as soon as possible."
Many thanks to all handlers active on this: Johannes, Chris, William, Adrien.--
Swa Frantzen - Section 66