Managed security services firm MessageLabs is reporting a surge in targeted malware attacks against a known Microsoft Word code-execution vulnerability, suggesting that an exploit generator kit may be circulating online.
In its monthly threat intelligence report, MessageLabs said Microsoft Word was the most common exploit vector in April 2007 with a noticeable spike in attacks using Word documents that contain the SmartTag bug patched with Microsoft's MS07-027 bulletin.
From the report:
These attacks increased dramatically since March 2007 from four attacks going to four single recipients to 66 attacks going to 273 recipients in April.
"On first sight, it appears that more than one hacker ring is using this Microsoft Word exploit, and so an exploit generator kit might exist, although this has not yet been found," said Alex Shipp, senior anti-virus technologist at MessageLabs.
The report said a Taiwanese crime ring called "Task Briefing" continued its use of Microsoft Office exploits during April, launching spear-phishing attacks with PowerPoint documents embedded in e-mails.
The ring made six attacks this month, sending 61 emails accounting for 10 percent of all targeted e-mails in April, the longest of which lasted 45 hours. In March, the same gang sent 151 emails accounting for more than 20 percent of targeted attacks.
MessageLabs said it also intercepted one additional attack using the same PowerPoint exploit (patched with MS07-028) but originating from an IP address in China. This second attack was targeting 14 Japanese e-mail addresses, suggesting that there may be a second criminal ring in operation.
During April 2007, MessageLabs said it intercepted 595 e-mails in 249 separate targeted attacks aimed at 192 different organizations. Of these, 180 were one-on-one targeted attacks aimed at a specific organization.
MessageLabs did not identify any of the targets but it is well-known that some of these MS Office zero-days are being aimed at U.S. government agencies. A spate of PowerPoint attacks last year was also linked to corporate espionage.
Overall, the April numbers show a slight drop in targeted attacks compared to the previous month. In March, MessageLabs stopped 716 e-mails in 249 targeted attacks against 263 different domains. These domains belonged to 216 different organizations.
The company said 84% of the attacks used Microsoft Office exploits (PowerPoint and Word) .
The majority of attacks still comprise one e-mail to one individual, but the number of attacks has risen since last year when it was just 1 or 2 per day. Utilizing several exploits in a single malicious file, a typical attack will download a further component from a website under the control of the attackers that will give them remote access to the compromised computer, including access to confidential and potentially sensitive intellectual property.