![]() ![]() In the second scenario, it’s rather difficult to investigate the embedded Trojan. These attacks are sparingly used “in public”, but are very common in closely targeted attacks. It generally either downloads an external, second-stage payload, or executes an embedded Trojan binary. In this case, the document contains a crafted component which exploits a specific vulnerability, followed by shellcode which takes further action. Documents crafted to exploit a file-parsing vulnerability in the application software.Open the document in Wordpad (preferably in a Virtual Machine), and copy paste the object into another directory From an investigation point of view, Trojan binaries are easy to extract. This attack methodology is commonly used in the IRS/BBB/DOJ Trojans that have been reported throughout 2007. ![]() Documents that are in themselves not malicious but contain a malicious “embedded object”.There are two common scenarios of attack involving Word documents: In July of this year, we received one such targeted attack sample, with limited AV coverage at the time: AntiVir 7.4.0.39 20070711 EXP/Office.DĪvast 4.7.997.0 20070711 MW97:CVE-2006-2492.GenīitDefender 7.2 20070711 Application level exploits are more difficult to investigate, as they have much greater dependence on their environment than the average Windows binary. We’ve all had situations in which our organization received a malicious binary, and we needed to understand rapidly what it did. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |