Have you ever heard of the bug known as CVE-2015-1641? If you work in IT security then you probably have, but even professionals have a hard time keeping up with all the bugs, vulnerabilities and issues that have to be dealt with on a daily basis. As an in-house IT expert, ‘knowing it all’ is impossible. That’s when you need to learn to lean on quality tools to help you fish out problems before they even happen. The bug mentioned above is a Microsoft Word hole exploit and was patched in April 2015, yet it is still dangerous for anyone that has not instituted the patch. Often Outlook spam of this nature is opened by employees and results in infection.
Word Based Attacks
As a cyber-security IT specialist you realize that it does not matter how vigilant or great your firewalls are, attacks that are Word or email based simply defy your tools because they are human-based errors. This Word hole attack uses an exploit in Word that allows an executable packet to be transmitted within a word document. As most employees would not understand or know about this danger, they may open a Word document to see what it is. As it was delivered to their Outlook spam folder, they may think it was an internal email that got misplaced.
The Word file attached to the email, does indeed look like it has a Word file and often even the file name ends in “.doc” when in fact it is in a Rich Text Format (RTF). An RTF file allows an attacker to package multiple parts within one file. The one component that gives these files away as an attack includes a component that often looks like the below:
- 1lsFES%$#^lkajdw$#)^#… —Part 5
This breakdown shows 4 parts of the file with object class signifiers as a Word Doc, yet this last file is in fact a BLOB, Binary Large Object. This tacked on file is ignored by Word.
The fifth part of the file includes various items that help mask the attack. One of the first things it does is to load an ActiveX DLL that in turn loads another DLL that prohibits the file from being randomized on a hard drive, giving the attacker an exact address to their code. The BLOB part of the file contains an executable file that the attacker wants to run, while a third part contains data that triggers the actual Word hole exploit allowing the attacker unauthorized access to memory.
From this exploit many hackers have instituted malware programs through the exploit including Toshliph and UWarrior. Toshliph is essentially just a malware downloader, giving hackers the ability to continually download more malware onto your system without having to go through the Outlook spam word route again. Whereas UWarrior is a backdoor giving criminals, hackers and anyone else that knows about it complete remote control of the computer.
The most important issue when dealing with Outlook spam is ensuring that you do not become a target of one of these vulnerabilities. Criminal organizations have gotten better at organizing attacks to coincide very shortly after these vulnerabilities become available. Only keeping current on your software patches and keeping the most up to date virus tools will protect your company.