MS09-002 Exploit in the wild uses MSWord Lure
Tuesday February 17, 2009 at 3:22 pm CST
Posted by Rahul Mohandas
An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild. Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.
The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.
Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.
The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.
For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.
The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.
February 18th, 2009 at 03:49
Does the Active-X component have a GUID that can be kill-bitted?
February 18th, 2009 at 07:36
This is mainly the reason why I prefer Mozilla browser than IE. Especially IE7? Oh, I encountered so many problems with this browser especially when downloading attachments using MSWord.
February 18th, 2009 at 10:55
[...] MS09-002 Exploit in the wild uses MSWord Lure http://www.avertlabs.com/research/blog/index.php/2009/02/17/ms09-002-exploit-in-the-wild-uses-msword... [...]
February 18th, 2009 at 13:40
Microsoft, Internet Explorer 7 è sotto tiro …
Un exploit segue a ruota la patch di Microsoft per Explorer 7, distribuita la scorsa settimana: può dare il via ad attacchi di tipo drive-by download. Se non lo si è ancora fatto, urge aggiornare al voloA una settimana dal Patch Tuesday di febbraio,…
February 18th, 2009 at 14:11
[...] MS09-002 Exploit in the wild uses MSWord Lure http://www.avertlab…ld-uses-msword-lure/ [...]
February 18th, 2009 at 14:54
[...] MS09-002 Exploit in the wild uses MSWord Lure http://www.avertlabs.com/research/blog/index.php/2009/02/17/ms09-002-exploit-in-the-wild-uses-msword... [...]
February 19th, 2009 at 13:42
Here we go … again
February 19th, 2009 at 18:01
[...] it’s Will. I noticed that several blogs, including Trend Micro and McAfee, have been talking about the recent attacks on the Internet Explorer 7 vulnerability that was fixed [...]
February 20th, 2009 at 23:36
So what exactly is the virus doing after opening the malicious document (.doc) file other tham connecting to some chinese site. Is it downloading malicious binaries from the web site……what is the intended purpose of those downloaded binaries. Expecting McAfee will update with the information.
Best Regards,
Praveen Darshanam,
Security Researcher
February 26th, 2009 at 17:03
[...] MS09-002 Exploit in the wild uses MSWord Lure http://www.avertlabs.com/research/blog/index.php/2009/02/17/ms09-002-exploit-in-the-wild-uses-msword... [...]
March 8th, 2009 at 11:20
[...] Computer Security Research – McAfee Avert Labs Blog [...]