What does a targeted Microsoft Word zero-day attack look like? A quick flicker when the .doc is opened is sometimes the only thing you'll see.
Symantec's security response team has created a video of a targeted Microsoft Word zero-day attack in action, showing how it's near impossible to know if you've fallen victim to sophisticated spear phishers.
The vulnerability is exploited with no crash of MS Word, but within a few seconds the shellcode drops an executable and opens a clean legitimate document (with some real content) that deceives the user. The only thing that "smart" users can notice is a kind of "flickering" of MS Word. This is because the malicious code has to terminate and then re-execute the MS Word application with the new clean .DOC. This "flickering" happens very quickly.
This video shows an attack against MS Word 2000, confirmed as zero-day by Microsoft, and exploited by a Trojan dropper that checks for infected system for Internet connectivity and opens a backdoor that gives the attacker full control of the machine.
Since December 2006, there have been confirmed reports of at least five unpatched MS Word flaws being exploited in these types of attacks.