Tuesday, April 10, 2007 8:27 AM
cmosby
McAfee Avert Labs Blog - Exploit-TaroDrop.b – Heuristics vs 0-day Gymnastics
Exploit-TaroDrop.b – Heuristics vs 0-day Gymnastics
Monday April 9, 2007 at 8:12 am CST
Posted by Geok Meng Ong
Trackback
On April 6th, 2007, our heuristics proactively detected a new document exploit for Ichitaro, a popular Japanese word processor, that was being exploiting a new 0-day vulnerability in the wild. The vendor was notified immediately and confirmed we have identified a new and previously unknown vulnerability. This follows the other 0-day vulnerability for Ichitaro that was exploited in the wild in August the previous year.
The specially crafted document (Exploit-TaroDrop.b) came with a Japanese filename with extension “.jtd” that is used by Ichitaro.
When users open this document, Exploit-TaroDrop.b causes a buffer overflow, executes shellcode, drops a malware called %Windir%\System32\downhk.exe (BackDoor-DKI.dldr) and silently terminates. Before the user could realize the disruption, Ichitaro is restarted and they can continue to view the document but with a different filename “a.jtd”.
What goes on behind the scenes was really Exploit-TaroDrop.b taking control over code execution from Ichitaro after a buffer overflow occurred and caused the application to terminate. The malware author attempts to “repair” the user experience by dropping a clean document that can be viewed in Ichitaro so as not to arouse any suspicion.
We are seeing similar methods used in the other document type exploits for Microsoft Office applications. Although this method may vary in other cases, it would be worth checking the filename in the application title bar, and take note of any abnormal behavior as such.
We can expect malware authors to continue discovering and creating new exploits in localized (and often neglected) applications; and using various social engineering methods to keep these threats undetected. Users must be armed with both advanced heuristics and good vigilance and intuition and even then threats like these are going to be increasingly difficult to track and defend against.
A security patch is being developed by the vendor to deal with this vulnerability.
This malware was reported by both Shinsuke Honjo and Geok Meng Ong of McAfee Avert Labs.
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: Security and Anti-Virus, Patch Management, AntiVirus Information, Internet Applications