E-mail attacks target unpatched Word hole

Antivirus companies and the SANS Internet Storm Center (ISC) issued a warning Friday about sophisticated e-mail attacks that are using a previously unknown hole in Microsoft Word to infiltrate corporate networks.

On Friday, Symantec raised its Internet threat rating, citing confirmation of attacks using an unknown hole in Microsoft Word were being used to compromise computers on the Internet. The warning came as monitors at ISC detailed "limited targeted attacks," originating from China and Taiwan, against an unnamed company that used Word attachments to install Trojan horse programs on corporate networks.

Symantec warned subscribers to its DeepSight Threat Management Service that it had confirmed reports of active exploitation of a hole in Microsoft Word 2003. The attacks use Word document attachments in e-mail messages to trigger the security hole and run code that gives attackers control over vulnerable systems, Symantec said.

The hole caused Microsoft Word 2000 to crash but did not allow remote attackers to run "shell code" that can be used to control the machine following exploitation, Symantec said.

Few other details were available about the hole Friday, however. Symantec said that attacks using the Word hole were "limited" and "against select targets," according to a DeepSight alert message.

According to a post on the ISC's blog, the attacks are from China and Taiwan. ISC has traced communications from infected machines back to servers and Internet domains registered there. Text embedded in the malicious files are also written in Chinese, ISC said.

Researchers at Sophos PLC, an antivirus firm based in the UK, said they were also tracking the malicious Word file, which is being used to distribute a Trojan horse called Oscor-B. That program was designed to give malicious hackers remote access to infected computers, wrote Graham Cluley, a senior technology consultant at Sophos, in an e-mail message to InfoWorld.

Sophos will be issuing protection against it Friday, said Cluley.

F-Secure calls the Trojan "W32/Ginwui.A", said Mikko Hyppönen, manager of anti-virus research at F-Secure . in Helsinki, Finland.

"We have seen malicious Word documents using similar or the same vulnerability in the past, but they have only worked on Chinese language versions of Word…This new version works on English language versions of Word, so there is obviously the potential for the attack to have a larger potential audience of victims," he wrote.

The attacks detailed by ISC are part of a "much bigger problem," Hyppönen said.

F-Secure has been tracking a series of sophisticated, very targeted attacks against large European corporations in recent months. All have used malicious Word file attachments to install malicious programs on corporate networks. The attacks, sometimes referred to as "spear phishing" attacks, use e-mail messages that appear to come from within a company, with spoofed sender addresses and even faked corporate letterhead information. The messages are sent to employees within the company, who are tricked into opening the attachment, believing it comes from a colleague, Hyppönen said.

Microsoft Word and other Office applications are a good target, because they are ubiquitous on corporate computers, and because companies often patch them far less frequently than the Windows operating system itself, he said.