Document Based Malware Software Tool – Microsoft Word Intruder

Posted on by Security Zap

Microsoft Word Intruder

According to nakedsecurity the new tool Microsoft Word Intruder or MWI allows anyone to develop a high level malware software. It is thought that MWI was created in Russia, it is able to generate “booby-trapped” files by creating Rich Text Format documents allowing attacker to exploit multiple vulnerabilities presented in Microsoft Word.

What type of malware software does it generate?

MWI has the ability to create two types of malware software:

  • Downloader – Malicious payload requires to download additional files
  • Dropper – Differently from downloader, dropper uses malicious payload located on infected machine. Which means that infection will take place locally even in offline mode after which the primary malware software component is dropped.

The latest version has a feature to pack several vulnerabilities in the same document as advertised by its creator Objekt in underground.

According to FireEye new malware tool includes a tracking feature embedding URL in generated RTF files. Bobby-trapped document with embed URL sample looks like this:

  1. {\listoverride
  2. \listid283385527\pgp\ipgp0\utap0\li0\ri0\bin-32\sb0\sa0\listoverrideco
  3. 0000000000000000000000000000000000000000000000000000000
  4. 0000000000000000000000000000000000000000000000000000000
  5. 0000000000000000000000000000000000000000000000002611111
  6. {\field(\*\fldinst (INCLUDEPICTURE
  7. http://XXXXXXXX.com/image.php?id=19019691 \\ *MERGEFORMAT
  8. \fldrslt)}
  9. {\object\objocx{\*\objclass Word.Document.11)
  10. {\*\objdata
  11. 91959999929999991b00000000000000000000000000000000000000
  12. 00000000000000000000e0000

 

Vulnerabilities Used by Malware Software

Microsoft Word Intruder uses following vulnerabilities for exploitation:

CVE-2010-3333

CVE-2012-0158

CVE-2013-3906 

CVE-2014-1761

These same vulnerabilities have been used by ZeuS or Zbot, one of the most sophisticated banking Trojans.

Recommended Security Measures

MWI malware software is mainly spread by email spam. Security Zap recommends NOT to open suspicious emails, especially those containing Microsoft Office files and always update your malware protection software.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.