14 DAY TRIAL // Security researchers warn that many departments in the US government were targeted in an email attack using a bin Laden death theme and distributing malicious .doc files.
The rogue emails bear a subject of "Courier who led U.S. to Osama bin Laden's hideout identified" and carry a simple message reading "to whom it may concern."
The emails have a "Laden's Death.doc" document attached, which, according to researchers from F-Secure, is rigged with an RTF exploit that targets a stack buffer overflow vulnerability (CVE-2010-333) patched by Microsoft last November.
This is not the first time when this vulnerability is targeted. Microsoft warned about similar attacks at the end of December.
In this case, a clean document is also opened in order to avoid raising suspicion. It contains information about Abu Ahmad al-Kuwaiti, the man believed to have led US intelligence agents to Osama bin Laden's location.
According to independent security researcher Mila Parkour, the rogue email messages were sent to many targets in the US Government on Wednesday.
If exploitation is successful, the shellcode installs a variant of the Protux trojan. Microsoft describes Protux as a trojan backdoor which allows remote access and control.
The F-Secure researchers say the malware installs itself as dhcpsrv.dll under c:\windows\system32\ and attempts to hijack the DHCP service by making registry modifications.
DNS hijacking is a technique that can be used by attackers to easily redirect legitimate traffic and information to a server under their own control.
In addition, the backdoor can also download and install other malware, send back to remote servers and act as a proxy server through which attackers can connect.
The decoded and unpacked version of the trojan has a 42% AV detection rate according to Virus Total at the time of writing this article.
Users are strongly advised not to open unsolicited files, like documents, archives or executables, sent to them via email. However, if running such a file cannot be avoided, scanning it on Virus Total first can serve as an indication if it is infected or not.