Analysis of an Osama bin Laden RTF Exploit

Targeted/semi-targeted attacks have been utilizing exploits against Microsoft's "RTF Stack Buffer Overflow Vulnerability" (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.
Many of the attacks we've seen which exploit CVE-2010-333 have used topical subject lines.
And this week is no different. So of course, there's an Osama bin Laden RTF exploit circulating in the wild which uses the subject: "FW: Courier who led U.S. to Osama bin Laden's hideout identified".
The file name is called: "Laden's Death.doc" and appears as so
:
Courier who led U.S. to Osama bin Laden's hideout identified


When the RTF file is opened, the exploit executes shellcode and drops a file named server.exe inside C:/RECYCLER and executes it.

C:/RECYCLER/server.exe does the following:

  •  Drops a file in the system's temp folder: vmm2.tmp
  •  File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll
  •  Makes registry modifications in an attempt to hijack the DHCP service.

It attempts to connect to a C&C hosted at ucparlnet.com.

The payload has the ability to:

  •  Download additional malware
  •  Connect and send sensitive data back to remote servers
  •  Act as a trojan proxy server

The folks at contagio malware dump report that "It was sent to many targets in the US Government today".

Checking our back end shows that some of our customers have also been exposed. Our detection name for the exploit is Exploit:W32/Cve-2010-3333.G and the RTF payload is detected as Trojan:W32/Agent.DSKA.

As always, the usual advice applies, exercise caution when opening attachments, patch/update your MS Word/Office, and make sure your antivirus is up to date.

You can see more examples of CVE-2010-3333 attacks at contagio.

Updated to add: Here's a picture of an email spreading this document. This was sent to analysts in Washington, D.C. The picture was published by Lotta Danielsson-Murphy. Do note that the sender information in the email is forged.

Laden's Death.doc

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Categories:

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...