Sunday

More details on the "in the wild" MS07-060 exploit



Yesterday, I blogged about the Microsoft Word exploit MS07-060 in the wild. It seems this exploit sample was first captured by a Belgian researcher Maarten Van Horenbeeck and shared with Symantec and other vendors. He gives a detailed analysis, pointing out how targeted this attack was and still is. It also shows us that the first appearance of the exploit was 6-8 hours before Microsoft released the patch.

It was executed early in the day on Tuesday, while Microsoft released its patch in the late afternoon. At the time of the attack, AV coverage was nonexistent.

As part of our investigation we extracted each of the binaries and performed analysis on them separately. None of them was detected by more than a few anti virus tools. Five days after the attack, which was distributed to AV vendors on Tuesday evening, coverage is still spotty (none of them gains more than a 5/32 on Virustotal).

We distributed this sample to 30+ AV vendors on Tuesday night CEST. Currently (Friday night), according to Virustotal, the following anti virus solutions have implemented file-scanning coverage for the Word dropper:

AntiVir 7.6.0.23 2007.10.12 TR/Drop.MSWord.Macf.A
Fortinet 3.11.0.0 2007.10.12 W32/Agent.BZE!tr.bdr
F-Secure 6.70.13030.0 2007.10.12 Trojan-Dropper.MSWord.Macf.a
Ikarus T3.1.1.12 2007.10.13 Exploit.Win32.MS05-002
Kaspersky 7.0.0.125 2007.10.13 Trojan-Dropper.MSWord.Macf.a
NOD32v2 2589 2007.10.12 Win32/Agent.BZE
Symantec 10 2007.10.13 Trojan.Mdropper.Z
Webwasher-Gateway 6.0.1 2007.10.12 Trojan.Drop.MSWord.Macf.A
You can read the full analysis on the Daemon.be blog.

No comments: