Many of the attacks we've seen which exploit CVE-2010-333 have used topical subject lines.
And this week is no different. So of course, there's an Osama bin Laden RTF exploit circulating in the wild which uses the subject: "FW: Courier who led U.S. to Osama bin Laden's hideout identified".
The file name is called: "Laden's Death.doc" and appears as so:
When the RTF file is opened, the exploit executes shellcode and drops a file named server.exe inside C:/RECYCLER and executes it.
C:/RECYCLER/server.exe does the following:
• Drops a file in the system's temp folder: vmm2.tmp
• File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll
• Makes registry modifications in an attempt to hijack the DHCP service.
It attempts to connect to a C&C hosted at ucparlnet.com.
The payload has the ability to:
• Download additional malware
• Connect and send sensitive data back to remote servers
• Act as a trojan proxy server
The folks at contagio malware dump report that "It was sent to many targets in the US Government today".
Checking our back end shows that some of our customers have also been exposed. Our detection name for the exploit is Exploit:W32/Cve-2010-3333.G and the RTF payload is detected as Trojan:W32/Agent.DSKA.
As always, the usual advice applies, exercise caution when opening attachments, patch/update your MS Word/Office, and make sure your antivirus is up to date.
You can see more examples of CVE-2010-3333 attacks at contagio.
Updated to add: Here's a picture of an email spreading this document. This was sent to analysts in Washington, D.C. The picture was published by Lotta Danielsson-Murphy. Do note that the sender information in the email is forged.
LINK TO OUR HOME PAGE :