After the Tunisian Revolution, also called the Jasmine Revolution by many media organizations, in late 2010 or in early 2011, “Jasmine” became a hot word in China.
Last week, a friend of mine in China received an email message with an .RTF attachment entitled, “My thoughts on the jasmine flower (the language of the document is Chinese).” He had no idea who the sender was. When he opened the document and read its contents, to his surprise, the document’s author tried to persuade him to join a demonstration called the Jasmine Revolution. He was even more surprised when he found out later that his PC was infected with a backdoor program.
After checking the .RTF file, I figured out that this sample tries to exploit CVE-2010-3333—an old stack-based buffer overflow vulnerability in Microsoft Word. By crafting a malformed .RTF file, the attacker may execute arbitrary code on a user’s machine. One of my colleagues here in Trend Micro already reported about a malware exploiting this vulnerability late last year. This vulnerability was already patched by Microsoft a month before that through MS10-087.
This is now detected as TROJ_ARTIEF.KER. Below is a snippet of the crafted data, including part of the shellcode. The data is hex encoded. Here, we can see a familiar address, 7ffa4512, which is often used as jmp-esp instruction in buffer overflow attacks.
The payload is a .PE file detected as BKDR_IRCBOT.KER, which is embedded in the .RTF file. When the shellcode is executed, it will try to get the file handle to the .DOC file by enumerating all possible handle values starting from 0x4 until it finds a file with the right size (0x24C00 bytes). It then reads the embedded payload with the file handle and drops the payload into the temp folder.
After successful exploitation and in order to further trick the victim, a normal .DOC file is opened and, as I mentioned at the beginning of this entry, the content of the normal file has something to do with the Jasmine Revolution. Below are some of the slogans the demonstrators use, which include “we need food,” “we need work,” “we need house,” “we need freedom,” and “we need justice.”
This attack is very similar to one we saw in 2008 wherein documents—Excel and PowerPoint files—related to the Tibet conflict were used to disguise exploits.
Users who encounter email messages similar to the one I described here are strongly advised not to open the attachments but instead delete the messages.