Thursday, October 1, 2020
  • Home
  •             

How Words Zero Day works.

May 22nd, 2006 by Patrick S

There’s been quite a lot of buzz about the new 0-day Word vulnerability.

While talking about details of the vulnerability, it’s easy to forget what the vulnerability was actually used for.

According to the information we have, a US-based company was targeted with emails that were sent to the company from the outside but were spoofed to look like internal emails.

8866The emails contained a Word DOC file as an attachment. DOCs are a nasty attack vector. Few years ago, when macro viruses were the number one problem, many companies were not allowing native DOC files through their email gateways. Now that has changed, and DOCs typically get through just fine. But Word has vulnerabilities and users typically don’t install Word patches nearly as well Windows patches.

When run, the exploit file ran a backdoor, hid it with a rootkit and allowed unrestricted access to the machine for the attackers, operating from a host registered under the Chinese 3322.org domain.

3322.org is a free host bouncing service in China. Anybody can register any host name under 3322.org (like whatever.3322.org) and the service will point that hostname to any IP address you want. There’s actually a series of such services, including 8866.org, 2288.org, 6600.org, 8800.org and 9966.org. There are tons of useful things you can do with such host-resolving service. And tons of bad things too.

So, should you block access to hosts under 3322.org, 8866.org and others? Depends. It’s kind of like blocking access to Geocities: you’d block lots of bad stuff – and lots of good stuff. But then again, most users of these services are in China. If you’re not in China and your users are not supposed to access different Chinese services, blocking might not break too many things.

We’d recommend you’d at least check your company’s gateway logs to see what kind of traffic you have to such services.

Source straight from F-secure Weblog

Posted in Office 2007, Security | Comments Off on How Words Zero Day works.


This entry was posted on Monday, May 22nd, 2006 at 12:27 am and is filed under Office 2007, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.


Comments are closed.