Saturday, May 20, 2006

MS Word Trojan Targets Corporate Users

A new vulnerability has been found in MS Word that allows attackers to "execute any external commands, download additional Trojans, capture desktop screen shots, monitor and record keystrokes or passwords," according to McAfee. The vulnerability is known as primarily as, BackDoor-CKB!cfaae1e6 or Ginwui requires user to download malicious MS Word files in order to affect a system and does not spread virally like a worm. However, the exploit is tricky because it attempts to mimic business common communication in order to entice users to download the Word file, which is usually distributed as an email attachment. According to Microsoft's 2nd Security Resonse Center Blog Posting on the trojan, the two common email subject headers carrying the malware are:

  1. Notice
  2. RE Plan for final agreement

This vulnerability affects Word XP and Word 2003. The malware does not install on Word 2000, but it does make the application crash. Microsoft reports that Word Viewer is not affected and that they are on track to release a patch fixing the problem in time for their next update release on June 13th.

SANS has released recommended defenses for mitigating this threat until the vendor patch is released. The most practical advice is really to use Open Office to open Word attachments until the application can be patched. Other recommendations like quarantining attachments for several hours or waiting to open attachments until after their validity has been confirmed by the sender may not realistic for many organizations that rely on rapid reaction to Word documents.

Most of the major anti-virus software have already updated their signature database:

McAfee:

Exploit-OleData.gen
Backdoor-CKB!cfaae1e6

Symantec:

Dropper component
Backdoor.Ginwui (Backdoor component)
Backdoor.Ginwui.B

F-Secure:

Ginwui.A

Trend Micro:

W97M_MDROPPER.AB
W97M_MDROPPER.AC

I could not find a signature for ClamAV in searching their database earlier this morning but ClamAV, which is open source, is usually one of the fastest to write new signatures and I'm sure the update will be added shortly.


technorati tags: , , , , , ,

posted by Andrew Fife @ 11:00 AM   0 comments

0 Comments:

Post a Comment

<< Home

Powered by Blogger