An exploit found to be targeting an unpatched (as of the time of this writing) vulnerability for the Japanese word processor, JustSystem Ichitaro was discovered in-the-wild on 3rd August. We identify the threat as Exploit-TaroDrop.c trojan.

The modus operandi bears close resemblance to the 0-day attack we blogged about in April 2007. The attack, delivered in the form of a maliciously crafted document drops BackDoor-DKI.gen, a trojan that was used amongst other malware in the April attacks. The shellcode drops a clean copy of the document as “aa.jtd” and re-opens it in the word processor. Other than that, additional obfuscation code is added on top of the basic XOR encryption we saw in the past.

We caution all Ichitaro users that we may continue to see such attacks against this localized applications. More details of Exploit-TaroDrop.c at http://vil.nai.com/vil/content/v_142899.htm .