NEWS FROM THE LAB - Sunday, May 21, 2006

3322, 8866 and others Posted by Mikko @ 21:02 GMT

There's been quite a lot of buzz about the new 0-day Word vulnerability.

While talking about details of the vulnerability, it's easy to forget what the vulnerability was actually used for.

According to the information we have, a US-based company was targeted with emails that were sent to the company from the outside but were spoofed to look like internal emails.

8866The emails contained a Word DOC file as an attachment. DOCs are a nasty attack vector. Few years ago, when macro viruses were the number one problem, many companies were not allowing native DOC files through their email gateways. Now that has changed, and DOCs typically get through just fine. But Word has vulnerabilities and users typically don't install Word patches nearly as well Windows patches.

When run, the exploit file ran a backdoor, hid it with a rootkit and allowed unrestricted access to the machine for the attackers, operating from a host registered under the Chinese 3322.org domain.

3322.org is a free host bouncing service in China. Anybody can register any host name under 3322.org (like whatever.3322.org) and the service will point that hostname to any IP address you want. There's actually a series of such services, including 8866.org, 2288.org, 6600.org, 8800.org and 9966.org. There are tons of useful things you can do with such host-resolving service. And tons of bad things too.

Now, we've seen these kinds of attack before.

In March 2005, somebody was sending out dozens of emails to US government email addresses, spoofed to be from Washington Post. The email content talked about "international IPR conventions China has acceded to". The attached DOC file dropped a backdoor that connected to a host under 8866.org.

In September 2005, somebody sent several batches of EU-themed emails to addresses at the EU Parliament. Email topics included "Parliamentary Assembly", "Assembly of Council of Europe" and "Parliamentary Assembly Declaration". Emails contained a DOC that connected to a host under 3322.org.

In March 2006, a big European company received emails that were spoofed to look like internal job applications. The attached DOC file dropped a backdoor that connected to a host under 3322.org.

In April 2006, another European company was targeted by a similar attack, this time connecting to a host under 8866.org.

And now in May 2006, this latest case complete with a zero-day exploit, connecting to a host under 3322.org.

So, should you block access to hosts under 3322.org, 8866.org and others? Depends. It's kind of like blocking access to Geocities: you'd block lots of bad stuff - and lots of good stuff. But then again, most users of these services are in China. If you're not in China and your users are not supposed to access different Chinese services, blocking might not break too many things.

We'd recommend you'd at least check your company's gateway logs to see what kind of traffic you have to such services.