MS Word Zero-Day Hack Under Way
"Currently, observed attacks are limited to attacks against select targets," Symantec warned in a bulletin to customers of its DeepSight Threat Management System.
The attack is successful against the newest version of Microsoft's word processor, Word 2003, but only crashes Word 2000 and Word XP, without leading to a computer compromise.
The attack, which Symantec dubbed "Trojan.Mdropper.H," begins with an e-mail that offers an attached file that appears to be a Word document. Opening the document lets the Trojan execute; it then drops another piece of malware, "Backdoor.Ginwui," onto the PC.
That backdoor installs a rootkit to hide itself, said Symantec, opens a channel to a hacker Web site, then waits for instructions. According to analysis done by the Cupertino, Calif.-based security company, Ginwui gathers system information, gives the attacker access to the cmd-exe (command) shell, and takes and transmits screenshots, perhaps with the goal of grabbing images of financial usernames and passwords.
"DeepSight advices that Microsoft Word document email attachments are blocked at the network perimeter," Symantec's warning read. Furthermore, extreme caution should be exercised while processing Microsoft Word documents received as an unexpected email attachment."