Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    The popular Japanese word processor software Ichitaro is no stranger to threats, particularly exploits taking advantage of the software’s vulnerabilities. Since 2007, we have reported the malware targeting Ichitaro’s security flaws.

    This time, however, we uncovered an attack that employs an old trick that even Microsoft Office was previously vulnerable to (CVE-2011-1980). Typically, when an application or document is executed, it loads several .DLL files. It first checks the current directory where it was opened and if the .DLL is present, it then loads that file; but if not, it checks other folders such as System folder.

    An attacker can take advantage of this to get an application to load a malicious DLL file instead of a legitimate one; this particular attack is known as DLL preloading. The samples we found only refers to the filename of the DLL file, so it will first search the current directory before checking the other folders in the system. While this vulnerability could be used to access a malicious DLL that is in a remote folder, that was not the case here.

    The attack arrives as a malicious compressed file, attached to an email message. Inside the compressed file are two Ichitaro documents and JSMISC32.DLL. Using the vulnerability cited above, the Ichitaro software loads the modified .DLL (detected as PTCH_ETUMBOT.AV) once users open the document. We have been detecting this DLL file and its subsequent payload since January of this year.

    This malicious DLL file appears to be a normal file upon cursory examination:

    modified-DLL-Ichitaro

    Figure 1. Screenshot of modified JSMISC32.DLL file

    But upon further analysis, this file actually contains a code that loads a specific .JTD file (detected as BKDR_ANONY.AC). Because of this patch code, this .JTD file is loaded each time Ichitaro is opened. But what is the real nature of this file?

    code-malicious-dll-screenshot

    Figure 2. Code of the modified .DLL file

    malicoius-JTD-icon

    Figure 3. Malicious .JTD file using Ichitaro icon

    At first sight, this .JTD looks harmless and uses a regular Ichitaro file icon. But a closer look reveals that this .DLL file, once loaded in the system, connects to specific URLs to report successful infection to a remote user. It also waits for possible instructions from the said malicious user. The malware also downloads encrypted files from the said sites. Trend Micro Smart Protection Network™ protects users from this threat by blocking the related email message and detecting the malware cited in this post.

    The attack may sound simple, but its simplicity is its main strength. To avoid this attack, we advise users to be cautious when opening their email messages and avoiding downloading or executing files attached to these messages.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice