Adobe Flash zero-day shows a Chinese connection

The latest Flash zero-day security hole -- the one hitched to a Word document -- literally has 'China' written all over it

1 2 Page 2
Page 2 of 2

The .doc file isn't perfect; Mila found that opening the file with Word 2010 simply crashed Word. No harm, no foul. In some cases, Word 2010 would open a clean copy of the file, without an embedded Flash component. Word 2003 appears to be immune. Word 2007 is a different story.

Opening the .doc file on a Windows 7 system running Word 2007 installs backdoor code on the system. Based on the description in the article, it looks like the backdoor will only continue to work in the current session. If the user logs off or reboots, the backdoor disappears and will only appear again if the user opens that same doctored document.

Opening the .doc file on a Windows XP system running Word 2007 requires user interaction -- you have to click on the header and then click on the Flash object. But if you activate the Flash object manually, the Flash-based Trojan replaces the system file mspmsnsv.dll with a completely bogus version, and the registry is altered to start the program automatically each time Windows XP restarts. Researchers are currently identifying what this altered mspmsnsv.dll actually does. This altered mspmsnsv.dll is identified as a Trojan by 18 out of the 41 antivirus programs currently used in the Virustotal scan.

Here's where the China part comes in. Remember my earlier admonition: It's entirely possible that this Trojan is so clever it's merely trying to make researchers think it originated in China. Still, the evidence is worth considering.

Infected systems phone home, setting up an FTP connection, and in this case the address they phone is hard-coded: That IP address belongs to the China Unicom Beijing province network. The session contains a User Agent field, with the string zh-cn, which is defined as Chinese (PRC).

Every Word document has a CodePage. When Word opens the document, it uses the fonts defined by the CodePage to display the document on the screen. Typically the CodePage is set by the template used to create the document. The "Disentangling Industrial Policy and Competition Policy in China.doc" CodePage is Windows Simplified Chinese (PRC, Singapore).

Are we seeing yet another sophisticated attempt to infect and suck data out of PCs belonging to a specific group of people with an interest in China? Could the People's Republic of China government be behind it? Tantalizing questions, and as yet we have no irrefutable answers.

This story, "Adobe Flash zero-day shows a Chinese connection," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2