NEWS FROM THE LAB - Thursday, May 5, 2011

Analysis of an Osama bin Laden RTF Exploit Posted by Sean @ 09:07 GMT

Targeted/semi-targeted attacks have been utilizing exploits against Microsoft's "RTF Stack Buffer Overflow Vulnerability" (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.

Many of the attacks we've seen which exploit CVE-2010-333 have used topical subject lines.

And this week is no different. So of course, there's an Osama bin Laden RTF exploit circulating in the wild which uses the subject: "FW: Courier who led U.S. to Osama bin Laden's hideout identified".

The file name is called: "Laden's Death.doc" and appears as so:

Courier who led U.S. to Osama bin Laden's hideout identified

When the RTF file is opened, the exploit executes shellcode and drops a file named server.exe inside C:/RECYCLER and executes it.

C:/RECYCLER/server.exe does the following:

  •  Drops a file in the system's temp folder: vmm2.tmp
  •  File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll
  •  Makes registry modifications in an attempt to hijack the DHCP service.

It attempts to connect to a C&C hosted at ucparlnet.com.

The payload has the ability to:

  •  Download additional malware
  •  Connect and send sensitive data back to remote servers
  •  Act as a trojan proxy server

The folks at contagio malware dump report that "It was sent to many targets in the US Government today".

Checking our back end shows that some of our customers have also been exposed. Our detection name for the exploit is Exploit:W32/Cve-2010-3333.G and the RTF payload is detected as Trojan:W32/Agent.DSKA.

As always, the usual advice applies, exercise caution when opening attachments, patch/update your MS Word/Office, and make sure your antivirus is up to date.

You can see more examples of CVE-2010-3333 attacks at contagio.

Updated to add: Here's a picture of an e-mail spreading this document. This was sent to analysts in Washington, D.C. The picture was published by Lotta Danielsson-Murphy. Do note that the sender information in the e-mail is forged.

Laden's Death.doc