Malware writers never miss the chance to take advantage of big world events, no matter how tragic. The recent Japanese nuclear incident, caused by the devastating earthquakes, is their target this time.
The Microsoft Malware Protection Center has been tracking a new backdoor (detected as Backdoor:Win32/Sajdela.A, SHA1 0c3526c7e1d6b8a3d2f5c21986c03f1dc0d88480) that is distributed by utilizing Exploit:Win32/CVE-2010-3333 – code that exploits a previously-addressed RTF parser stack overflow vulnerability in Microsoft Word that may allow remote code execution. (See Microsoft Security Bulletin MS10-087 for additional details and the appropriate update).
The malware arrives on a victims’ system appearing to be a Microsoft Word document (.doc), for example:
The name of this file is in Japanese characters; translated to English it would read “Japan nuclear leakage”. In actual fact, the file is in RTF format.
The following picture illustrates the malicious shell code it contains:
The payload of this malware is an embedded executable file. But to elude a heuristic scanner, the malware erases the PE file signatures (‘MZ’ and ‘PE’).
After successful exploitation, the malware recovers this information before writing the PE file to disk and then executing it.
In order to mislead victims, the malware also drops a hidden Microsoft Word document to “c:\word.doc” and opens it. The content of this file is in Japanese, and is regarding the recent nuclear incident.
This file contains the following file properties:
(A clue to the identity of the malware authors perhaps?)
The backdoor component
Installing the backdoor component is the ultimate purpose of this malware. The backdoor component is an encrypted resource inside the malware. When the malware executes, it decrypts the resource and drops it to %SystemRoot\System32\csrls.dll.
The backdoor utilizes control servers at the following locations:
• 24.173.215.70
• 65.5.227.69
The backdoor allows unauthorized access and control of an affected computer, and can be used by a remote attacker to perform actions such as downloading and executing arbitrary files, capturing information and terminating processes.
Using social engineering in this manner to get users to perform actions of the attacker’s choice (for example, opening a file) isn’t news. But when confronted with such a catastrophe, the need for information and reassurance is strong. Don’t forget that attackers will always try to take advantage of human nature. So be careful.
As for the good news – you can keep your system safe from these ill tidings by keeping your antivirus software up to date and ensuring that you apply security updates in a timely fashion.
We will continue to keep you posted.
–Zhitao Zhou, MMPC
