Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    Mar20
    4:12 am (UTC-7)   |    by

    On March 11, Regional TrendLabs in Japan found a zero-day exploit attack that targeted Just System’s well-known Japanese word-processor, Ichitaro. The malware exploting the vulnerability was noticed to arrive via spam and via malicious websites using the Ichitaro file extension name, .JTD.

    The malware ( TROJ_TARODROP.BA) drops a file {random letters}.tmp ( TROJ_DROPPER.PAO) that in turn drops another file named  beer80.exe ( TROJ_AGENT.KLQW).

    Notable of this scheme is that after TROJ_TARODROP.BA and TROJ_DROPPER.PAO have executed their routines, the last dropped Trojan (TROJ_DROPPER.PAO) creates non-malicious files using them to overwrite itself and the initial TROJ_TARODROP.BA. Thus, when the user checks the files after the infection is completed, all the user will see are legitimate Ichitaro files (this is considered to be a stealth technique applied by the malware).

    Unknown to the user at that point is that the final payload TROJ_AGENT.KLQW is already and still in the system. This Trojan (TROJ_AGENT.KLQW) gathers the following information from the affected system then sends the data to a remote site:

    • Computer Name
    • IP Address
    • Process ID of (injected) legitimate process, svchost.exe
    • OS version
    • Locale Information


    Figure 1. the sleight of hand is performed by the second malware in line, TROJ_DROPPER.PAO.

    According to Trend Micro researchers, the initial attack on Ichitaro happened in August 2006. Since then, every time a new Ichitaro vulnerability is found, cybercriminals are expected to attempt to exploit it–and they do so with increasing social engineering savvy. Past attacks followed the same straightforward drill: the first malware exploits the vulnerability and the second one conducts the main routines such as autostart and dropping files, etc. It is only recently (in 2008) we have begun to see the additional overwriting trick meant to fool users.

    Previous Ichitaro-related attacks include the following:

    New Ichitaro zero-day exploit discovered
    Ichitaro Exploited Anew
    A Closer Look at Ichitaro

    Information on this vulnerability, as well as the patch provided by Just System, can be found on their website.

    Read the Japanese writeup of this attack from the Japanese Malware Blog.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice