Feb 25, 2011 16:21 GMT  ·  By

Security researchers from Symantec warn of highly targeted attacks that leverage the crisis in Libya to deliver an exploit via email and infect key computers.

The emails pose as replies to previous messages about the current situation in the Arab country and bear subjects like "Re: DISCUSSION - the final battle in Libya?"

Their body contains a very short message reading "I agree with this point," however, a formatting error results in a broken </html tag to also appear at the end.

The short message has the purpose of diverting recipients' attention towards the attached document called "EconomicStakes in Libya's Crisis.doc".

If opened, the document tries to exploit an Office RTF stack buffer overflow vulnerability, identified as CVE-2010-3333 and patched by Microsoft back in November.

Successful exploitation allows the attacker to execute arbitrary code on the system. In this case a piece of malware is installed.

According to Symantec, the attacks intercepted by the company targeted a number of 27 individuals within six different organizations involved in human rights activism, humanitarian aid or the analysis of foreign affairs and economic development.

"In most cases, the email headers were spoofed to appear to come from the same domain as the recipient, a familiar social engineering technique used in so-called 'spear phishing' attacks. This approach tries to trick the recipient into believing the email was sent from someone internally," Symantec's Jo Hurcombe explains.

The emails were sent from an IP address in Romania, however, the body encoding is set to Chinese Traditional. Microsoft first began seeing CVE-2010-3333 exploited in the wild back in December in Russian-language email attacks.

Spear phishing techniques are commonly used to penetrate the defenses of companies, government institutions and non-profit organizationsm, generally with the purpose of stealing sensitive information.