Very inventive targeted attack through Word attachment
Published May 19th, 2006 in Exploits/Vulnerabilities, Intrusion Detection/Prevention, Security, SonicWALLSANS is reporting a targeted attack to a particular company. This attack begins with email from a domain that closely resembles the company’s own domain, so that it appears as an internal email. The attached Word file uses an undisclosed exploit to extract and execute a Trojan. Another interesting bit is that it overwrites the attached Word file with a ‘clean’ copy so that everything appears fine after the fact. This attack was not picked up by spam filters or antivirus.
In short, this is a nasty one.
Lessons… Hmm… This is a tough one to defend. I’d like to know if the user was running with Admin privileges. Also, was the Word exploit triggered through a macro? UTM firewalls like the SonicWALL allow blocking of Microsoft Office files that contain VBA scripts. It would be interesting to see if such a policy would have prevented this exploit.
Still, it demonstrates the challenges to targeted attacks. It’s dangerous world out there!
Source: SANS - Internet Storm Center
No Responses to “Very inventive targeted attack through Word attachment”
Please Wait
Leave a Reply
You must log in to post a comment.