Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 8th, 2011 in Current News, Cybercrime by TrendLabs | Be the first to comment | Tags: cybercrime, threat research

After the Tunisian Revolution (also called the Jasmine Revolution by many media organizations) in late 2010 or early 2011, “Jasmine” became a hot word in China.

Last week, a friend of mine in China received an email with an attached Microsoft Word Document (RTF) titled “My thoughts on the jasmine flower (the language of the document is Chinese)”. He had no idea who the sender was. When he opened the document and read the content, to his surprise, the document’s author tried to persuade him to join a demonstration called “Jasmine Revolution”. And definitely, he got even more surprised when he found out later that his personal computer was infected with a backdoor Trojan.

After checking the RTF file, I figured out that this sample tries to exploit CVE-2010-3333 — an old stack-based buffer overflow vulnerability in Microsoft Word. By crafting a malformed RTF file, attacker may execute arbitrary code on a user’s machine. One of my colleagues here in Trend Micro already reported about malware exploiting this vulnerability late last year, and the vulnerability was already patched by Microsoft a month before that through MS10-087.

This is now detected as TROJ_ARTIEF.KER. Below is a snippet of the crafted data, including part of the shellcode. The data is hex-encoded. And here we can see a familiar address “7ffa4512”, which is often used as jmp-esp instruction in buffer overflow attacks.

The payload is a PE file (detected as BKDR_IRCBOT.KER which is embedded in the RTF file. When the shellcode gets executed, it will try to get the file handle to the DOC file by enumerates all possible handle values, starting from 0×4 until it finds a file with the right size (0x24C00 bytes). Then it reads embedded payload with the file handle and drops the payload in temp folder.

After successful exploitation, in order to trick the victim, a normal document file is opened, and as I mentioned at the beginning of the blog, the content of the normal file is something about “Jasmine Revolution”. Below are the slogans of the demonstration, it says: we need food, we need work, we need house, we need freedom, we need justice.

This attack is very much similar to one we saw in 2008, wherein documents — Excel and PowerPoint files — related to the Tibet conflict were used to disguise exploits.

Users who encounter emails similar to the one I described here are strongly advised to not open the attached document, and instead delete the message.

Post from: TrendLabs | Malware Blog – by Trend Micro

Spam Asks Recipients to Join Jasmine Revolution