The MS-Word Zero Day


Dang! went my snort with an alert. Oh these false positives can be so confusing at times; i thought, i had just re-configured my snort rules, and reformatted my laptop last week. "wat could be wrong" i thought. Hesitating (due to my laziness) i fired up Process View, TCPView and ethereal to monitor my traffic and began analysing my snort logs for any suspicious activity. Nothing seemed unusual from the initial looks of the raw TCP / IP headers until i saw the processes in process explorer running under SYSTEM.

Shit !! why are there two instances of smss.exe running. (smss is the NT session manager subsystem which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hanged state).

I traced back the path it was running from and SURE it wasnt the %SystemRoot%. The second instance of the application was running from C:\Document and Setttings\%USER%\ApplicationData\. A quick run of the signature verification revieled more than 6 ciritical system files including csrss.exe (Client Server Runtime Process) and services.exe (Services and Controller App) were already replaced too with an unknown version.

Convinced that my system was a virgin nomore i made a comparison of lsass.exe and srss.exe with my shadow copies to match the difference. Filtering the binary on my filemon, regmon and tcpview i started monitoring its activity. The infected srss was listening on port 5557 and on another thread trying to connect on random IPs of range 61.166.125.1 – 10 which whois-ed to an ISP in china. Cursing myself i tried to recall what-went-wrong-where. Oh hmm, i opened up thunderbird to view the last couple of emails. Duh, i remembered i had opened that word file recieved from my boss. I opened up my dev VM and snapshoted it to the current state and opened up the .doc file in the hexeditor to view the file header. Scanned the file EXPLICITELY in Trend Micro and Norton AV with updated defs reported the file as cleaned, no wonder the av vendors are still working on the signature. Windows Defender / Stinger / Core Force reported nothing as well. Sigh, thats why they call it a zero day.

The "Trojan-Dropper.MSWord.1Table.bd" showed an error message when I downloaded and opened the infected file. Clicking on ‘Retry’, the malicious file was replaced by a clean one immediately. By this time however My VM was already screwed and The Dropper went ahead and downloaded a complete binary: ‘Backdoor.Win32.Gusi’. This backdoor opened a direct channel that connected to a remote attacker suspected to be sitting in China / Taiwan, to receive and execute commands. The binary immediately hid itself after installing which shows it has rootkit capability as well.

Feeling a little more proud then john-the-network-manager, i plugged in my USB firewire to restore my laptop with the last-known-stable ghost image. Finishing my can of dew i rememberd my old good times. Yea, less filename.txt on a nix console was always safer than double clicking a wordfile.

The Microsoft Security Blog response : " Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted. " (http://www.microsoft.com/technet/security/advisory/919637.mspx)
(http://www.frsirt.com/english/advisories/2006/1872)

.. sigh till then:

The only workarounds known to date:

1. Disable Word as Mail Editor in Outlook. Start Word only in safe mode: winword.exe /safe
2. A registry script that sets a Software Restriction Policy that runs any instance of ‘winword.exe’ with the ‘Basic User’ policy script from http://blogs.securiteam.com/index.php/archives/category/microsoft/
3. Turn off your computer, unplug it from the network, goto sleep and dream of a yet-another-zero-day.

About these ads

2 thoughts on “The MS-Word Zero Day

  1. I am impressed how you methodically, somewhat, backtraced the compromise. It is a lovely read, indeed. Wonderful!

    I would like to add a fourth wordaround, and I bet coming from me, you would have already guessed it: reboot your computer, format and install Linux. :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s