Security experts are warning of a critical vulnerability affecting users of Microsoft Word XP and Word 2003. To quote the SANS Internet Storm Center report:
We are still analyzing the trojan dropped by the exploit. What we do know is that it communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and pings this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows. Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.
We have traced nearly this attack to the far east; specifically, China and Taiwan. IP's seen are registered there, domains seen are registered there, and the emails received originated from a server in that region. The attackers appear to be aware that they have been outed, and have been routinely changing the IP address associated with the URL above.
Due to the aggravating circumstances (0-day, no AV detection), we wanted to make sure the community is aware that this problem exists as soon as possible.
Users should be aware that as of now this vulnerability is only being exploited as a very concentrated and targeted attack. That said, Microsoft is working diligently with anti-virus vendors to update their products in an effort to detect and combat a more widespread use of this exploit. Microsoft also states that they have a patch for this security issue ready and it is currently in testing and scheduled to be released as part of the June security updates on June 13, 2006, or sooner if necessary.
View: SANS Internet Storm Center
News source: Microsoft Security Response Center Blog