Explanation of Osama bin Laden RTF Exploit

A targeted attack has been spotted against RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). An email containing a Laden's Death.doc file attachment was personally sent to many recipients.

File information

File: Laden's Death.doc
File size: 163065 bytes
MD5: dad4f2a0f79db83f8976809a88d260c5
SHA1: d563029a2dfe3cfcddc7326b1b486213095e58e5
SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
File extension:.doc
Distribution method: email
VirusTotal detection rate: 16 of 41

The vulnerability exploited by this malware was patched last November in MS10-087.

According to VirusTotal 16 of 41 antiviruses recognize this file as a threat (http://www.virustotal.com/file-scan/report.html?id=4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342-1304649567).

The email was sent from a Lotus Notes mail server (IP 220.228.120.6) which most likely was compromised.

Message body

Tue, 03 May 2011 11:34:06 -0400 (EDT)
Source-IP: 220.228.120.62 
Message-ID: <000c01cc0998$15c8ec70$0201a8c0@protech.com.tw>
From: XXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXX
Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
Date: Tue, 3 May 2011 21:43:28 +0800
X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0009_01CC09DB.23A97E20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2929
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168


This is a multi-part message in MIME format.

------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: text/plain;
        format=flowed;
        charset="big5";
        reply-type=original
Content-Transfer-Encoding: 7bit

To whom it may concern.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX  Signature spoofed  XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: application/octet-stream;
        name="Laden's Death.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Laden's Death.doc"

When RTF file is opened, the exploit executes the shellcode, then creates and executes a file C:/RECYCLER/server.exe. This file performs following actions:

• Created a file in the system`s temporary folder vmm2.tmp
• Renamed the file vmm2.tmp into dhcpsrv.dll and moves it into c:\windows\system32\
• Modifies the registry to run the hijacked DHCP service.

File information on malicious c:\windows\system32\dhcpsrv.dll

File: dhcpsrv.dll
File size: 44504 bytes
MD5: 06ddf39bc4b5c7a8950f1e8d11c44446
SHA1: b8c11c68f3e92b60cc4b208bd5905c0365f28978
SHA256: bb854e8e5a3799d0c1dac65a4cc963265034a04007862aabf281e0f31dbc386a
File extension:.dll
Distribution method: dropped by Exploit:W32/Cve-2010-3333.G
VirusTotal detection rate: 13 of 42

After a successful start the Trojan tries to resolve the following domains:

We advise all users to install patches for MS10-087.

Description of vulnerability along with links to patches can be found here: http://www.naked-security.com/nsa/198110.htm