Chinese Hackers Make Available Microsoft Exploit Building Tool

Not a hacker? No problem! Not even technically skilled? Again no problem. "2007 Doc Binder" will do all the work for you! Exploiting vulnerabilities across Microsoft products has never been easier! According to Symantec, the number of samples for Trojan.Mdropper.X is through the roof. Usually, the case is that a malware family numbers something in the vicinity of five different samples. Trojan.Mdropper.X has in excess of 30. All the samples of Trojan.Mdropper.X are designed to target a Word Malformed Data Structures Vulnerability - CVE-2006-6456 that has been patched by Microsoft as of February 13, 2007.

At the basis of the Trojan.Mdropper.X expansion is none other than the "2007 Doc Binder," a Chinese toolkit that enables users to build Microsoft Word samples that exploit the CVE-2006-6456 flaw.

"The attacker has only to bind an executable such as Backdoor or an Infostealer trojan, and the tool will do the rest. It will create a malicious MS Word file that can drop and run the chosen .exe file. No need to analyze buffer overflows, find return addresses, or program complicated shellcode. Zero knowledge, maximum result, and minimal effort. Using this tool, an attacker could potentially generate several variants of malicious documents in a few minutes and spam them out immediately," revealed Elia Florio, Symantec Security Response Engineer.

Symantec has issued an additional warning revealing that while these exploits are indeed generated automatically, some recent samples in the wild had suffered manual patching and alterations in order to avoid detection by security software. Symantec has concluded in this regard that an evolved version of the "2007 Doc Binder" tool has become available.

"We observed that the samples generated by this tool have the shellcode located usually around offset 0x16730. The shellcode starts with the magic value of "C!29" (0x43213239), which is a kind of static marker used by the exploit. The executable is encrypted with a trivial XOR and is appended at the end of the .doc file. The generic detection for the Trojan.Mdropper.X family is currently detecting all the files generated by this tool," Florio added.