Targeted/semi-targeted attacks have been utilizing exploits against Microsoft's "RTF Stack Buffer Overflow Vulnerability" (CVE-2010-3333) since last December. The vulnerability was patched last November in security bulletin MS10-087.
Many of the attacks we've seen which exploit CVE-2010-333 have used topical subject lines.
And this week is no different. So of course, there's an Osama bin Laden RTF exploit circulating in the wild which uses the subject: "FW: Courier who led U.S. to Osama bin Laden's hideout identified".
The file name is called: "Laden's Death.doc" and appears as so:
When the RTF file is opened, the exploit executes shellcode and drops a file named server.exe inside C:/RECYCLER and executes it.
C:/RECYCLER/server.exe does the following:
• Drops a file in the system's temp folder: vmm2.tmp • File vmm2.tmp is renamed and moved to c:\windows\system32\dhcpsrv.dll • Makes registry modifications in an attempt to hijack the DHCP service.
It attempts to connect to a C&C hosted at ucparlnet.com.
The payload has the ability to:
• Download additional malware • Connect and send sensitive data back to remote servers • Act as a trojan proxy server
Checking our back end shows that some of our customers have also been exposed. Our detection name for the exploit is Exploit:W32/Cve-2010-3333.G and the RTF payload is detected as Trojan:W32/Agent.DSKA.
As always, the usual advice applies, exercise caution when opening attachments, patch/update your MS Word/Office, and make sure your antivirus is up to date.
Updated to add: Here's a picture of an e-mail spreading this document. This was sent to analysts in Washington, D.C. The picture was published by Lotta Danielsson-Murphy. Do note that the sender information in the e-mail is forged.