After the Tunisian Revolution, also called the Jasmine Revolution by many media organizations, in late 2010 or in early 2011, “Jasmine” became a hot word in China.
Last week, a friend of mine in China received an email message with an .RTF attachment entitled, “My thoughts on the jasmine flower (the language of the document is Chinese).” He had no idea who the sender was. When he opened the document and read its contents, to his surprise, the document’s author tried to persuade him to join a demonstration called the Jasmine Revolution. He was even more surprised when he found out later that his PC was infected with a backdoor program.
After checking the .RTF file, I figured out that this sample tries to exploit CVE-2010-3333—an old stack-based buffer overflow vulnerability in Microsoft Word. By crafting a malformed .RTF file, the attacker may execute arbitrary code on a user’s machine. One of my colleagues here in Trend Micro already reported about a malware exploiting this vulnerability late last year. This vulnerability was already patched by Microsoft a month before that through MS10-087.