NEWS FROM THE LAB - Wednesday, April 29, 2009

Targeted Examples Posted by Mikko @ 14:22 GMT

We continue to see targeted attacks. More and more of them. We're currently collecting some statistics on the frequency of these attacks and hope to publish them here later this week.

Here's some recent examples of documents that we've seen in targeted attacks. All of them use known vulnerabilities to drop backdoors to take over the computer.

The examples cover all popular file types: DOC, XLS, PPT and PDF. (Just to be fair.)

We've seen all of these cases exactly once, worldwide. So whomever got hit by these, it wasn't just bad luck and it wasn't just a coincidence.

Our first example looks like an average in-house purchase agreement… but when viewed, it drops a backdoor that connects to lemondtree.freetcp.com. XLS file.


Connects to heet.25u.com. PDF file.


Drops files called hlwin32.dll, hlsvc32.dll and svchost.exe to SYSTEM32 or TEMP folders. PPT file.


"Fertilizer news and analysis"? What? Drops a backdoor that connects to wolfdu.5166.info. PDF file.


Drops a variant of Poison Ivy remote access trojan. PDF file.


We don't have any information on the identities of the parties targeted with these attacks.