MS Word Zero-Day Exploit Found
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: MS Word Zero-Day Exploit Found

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Exclamation MS Word Zero-Day Exploit Found

    From Slashdot

    MS Word Zero-Day Exploit Found

    Posted by Zonk on Friday May 19, @02:37PM
    from the don't-do-any-work-today dept.
    subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"
    Slashdot Link: http://it.slashdot.org/it/06/05/19/1718203.shtml

    Also in ISC:

    ISC Link: http://isc.sans.org/diary.php?storyid=1346

    Annnd from FSecure (from the ISC text):

    Summary

    Ginwui is a fully-featured backdoor with rootkit features. This backdoor was distributed inside a document file with a shell-code that dropped the backdoor's file to a hard drive and activated it.

    Detailed Description

    The shell-code in the Word document decrypts and drops the backdoor's file as CSRSE.EXE to the temporary folder and activates it.

    After being run the dropped file in its turn extracts and drops another file to a system. This file is dropped as WINGUIS.DLL to Windows System folder and its DoHook function is activated by the dropper. The dropper then deletes itself from a system.

    The dropped DLL file is the main backdoor component. It traps several functions and modifies information that is passed to a user. As a result the backdoor's file, startup key in the Registry and process are not visible to a user.

    The backdoor creates a startup key for its file in the Registry:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs" = "%WinSysDir%\winguis.dll"

    where %WinSysDir% represents Windows System folder which by default has the C:\Windows\System32\ name.

    Being active the backdoor connects to specified address in order to receive commands from a hacker. The backdoor allows a hacker to do any of the following on an infected computer:

    -> create, read, write, delete and search for files and directories
    -> access and modify the Registry
    -> manipulate services
    -> tart and kill processes
    -> take screenshots
    -> enumerate open windows
    -> create its own application window
    -> get information about infected computer
    -> lock, restart or shutdown Windows
    -> create a pipe and read files from it

    start a remote command shell
    enumerate network resources

    The backdoor also creates 3 empty SYS files in the \drivers\ subfolder of Windows System folder.

    ...
    ..
    .

    Write-up: Alexey Podrezov, May 19, 2006

    Technical Details: Alexey Podrezov, May 19, 2006
    FSecure Link: http://www.f-secure.com/v-descs/ginwui_a.shtml

    I'm sure there will be more to follow on this...
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Banned
    Join Date
    May 2006
    Posts
    8
    Good!

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    *sigh*

    Another new user who can't read the FAQ.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmmm,

    I wonder if anti-malware applications that protect the Registry would thwart this one?

    Something like RegistryProt:

    http://www.diamondcs.com.au/index.php?page=products

    There are a variety of other freebies on this site if you fancy a browse.


  5. #5
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail...

    Seems I haven't heard much about Word Exploits in awhile so I'd bet many will fall for this even if it's the same ole toon - attachments.

    As suggested a little change control might be in order. Wonder if Scotty would work as RegistryPort might?

    cheers
    Connection refused, try again later.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi Relyt

    Yes he will, I run both at the same time (have done for years ) and it is interesting as to which one warns you first.

    I realise that I am probably in a minority, but I have believed in the Registry protection approach ever since I figured out that most crap tries to alter the Registry.

    OK, it isn't any good for your granny or Joe Soap, as they wouldn't understand the question, but I have deployed Scotty on a lot of people's boxes and it seems to work. I just explain that if they update software or install something new they will get warnings. If they are just using the computer as normal then there shouldn't be any.

    I also like the "sandbox" concept (hey that goes back to Berkley and the beginnings of Unix, if not before?) for e-mail and IM.



    EDIT: Sorry "Scotty" is WinPatrol: http://www.winpatrol.com

  7. #7
    Member
    Join Date
    Feb 2006
    Posts
    33
    Originally posted here by nihil
    Hmmmm,

    I wonder if anti-malware applications that protect the Registry would thwart this one?

    Something like RegistryProt:

    http://www.diamondcs.com.au/index.php?page=products

    There are a variety of other freebies on this site if you fancy a browse.

    Another nice one which you may not of heard of which acts as an intrusion prevent system for windows and which is also free is: Prevx

  8. #8
    Banned
    Join Date
    May 2006
    Posts
    8
    Due to the overwhelmingly popular response to my "Good!" comment, I have decided to release an actual post. Also, **** you for not just ignoring it like a mature person (on that note, **** me for not ignoring you like a mature person). Practice good security, communicate with the sender via a trusted channel to confirm that they sent you the email and the attachment.

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    Also, **** you for not just ignoring it like a mature person (on that note, **** me for not ignoring you like a mature person).
    Hi SicWitt,
    I hope this will be helpful advice. In the future, if you don't like a particular software program or vendor, please give reasons for your opinion in a logical, well thought out manner. Usually, one word posts add little to a discussion and are highly susceptible to being misinterpreted. I hope your future association with AO will be productive and fruitful. I look forward to learning from your posts.

    I think you are an idiot Phalse. Keep track of your ****. Do you have a "phone home" on TV and in all your books, pencils, and clothing? Hell no. If you responded to this question with a technical answer... wow.
    Hmm, a little more expansive, but not quiet what I was thinking of. I'm afraid if you keep this up your time on site will be short.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  10. #10
    Banned
    Join Date
    May 2006
    Posts
    8
    Hi SicWitt,
    I hope this will be helpful advice. In the future, if you don't like a particular software program or vendor, please give reasons for your opinion in a logical, well thought out manner. Usually, one word posts add little to a discussion and are highly susceptible to being misinterpreted. I hope your future association with AO will be productive and fruitful. I look forward to learning from your posts.
    ... Self righeous *****.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •