More analysis on the MS Jet Exploits camouflaging as Microsoft Word files

Recently, we blogged about MS Access exploits are being targeted trough Microsoft Word. In this blog we dig deeper, to see the structure of the files used in this attack, and analyze how the payload is delivered.

In the following example, the threat arrived as 2 files with “.doc” extensions (xxx1.doc and xxx2.doc); however one of the files is actually a Microsoft Access database containing the MS Jet exploit.  The whole story is depicted in Figure 1.

Figure 1: The flow of the trojan installation process

When users open the MS Word file xxx1.doc, the MS Access file xxx2.doc is loaded through the data link properties. Then the shellcode in the xxx2.doc file runs (triggered by the MS Jet exploit in the same file) and decodes itself in typical fashion.  The shell code launches WinWord.exe to open the innocent Word file embedded in “xxx1.doc”.

While the shellcode opens the Word file, it also decodes the executable file embedded in xxx1.doc. The decoding includes the simple XOR with a mask of 0xFF, and to deobfuscate the first 8 bytes of MZ header which is masked with XOR mask 0xAF.

You may see the data link aspect of xxx1.doc by placing the xxx2.doc file in a different folder than xxx1.doc. When users open xxx1.doc, the “Data Link Properties” window appears.  The specified database name is a the path containing xxx2.doc and the password is empty.  Because of this data link, xxx2.doc is typically loaded silently.

The trojan installation techniques used in this threat are nothing special and can be seen in other exploit files; however the method to trick users in this attack, by using non-exploit OLE files as loaders of other exploit OLE files is something new. As we see from past attacks, we no longer can rely on file extensions. We should continuously be careful with all unknown OLE files and not open untrusted email attachments.