Recently, we bloggedÂ about MS Access exploitsÂ are being targeted trough Microsoft Word. In this blog we dig deeper, to see the structure of the files used in this attack, and analyze how the payload is delivered.
In the followingÂ example, the threat arrived as 2 files with “.doc” extensions (xxx1.doc and xxx2.doc); however one of the files is actually a Microsoft Access database containing the MS Jet exploit.Â The whole story is depicted in Figure 1.
Figure 1: The flow of the trojan installation process
When users open the MS Word file xxx1.doc, the MS Access file xxx2.doc is loaded through the data link properties. Then the shellcode in the xxx2.doc file runs (triggered by the MS Jet exploit in the same file) and decodesÂ itself in typical fashion.Â The shell code launches WinWord.exe to open the innocent Word file embedded in “xxx1.doc”.
While the shellcode opens the Word file, it also decodes the executable file embedded in xxx1.doc. The decoding includes the simple XOR with a mask of 0xFF, and to deobfuscate the first 8 bytes of MZ header which is masked with XOR mask 0xAF.
You may see the data link aspect of xxx1.doc by placing the xxx2.doc file in a different folder than xxx1.doc. When users open xxx1.doc, the “Data Link Properties” window appears.Â The specified database name is a the path containingÂ xxx2.doc and the password is empty.Â Because of this data link, xxx2.doc is typically loaded silently.
The trojan installation techniques used in this threat are nothing special and can be seen inÂ other exploit files; however the method to trick users in this attack, by using non-exploit OLE files as loaders of other exploit OLE files is something new. As we see from past attacks, we no longer can rely on file extensions. We should continuously be careful with all unknown OLE files and not open untrusted email attachments.