Contribution: Takayoshi Nakayama
I was going through some files we acquired related to targeted attacks the other day and an unusual set of files caught my eyes. We did some analysis on the files and it turns out a pair of files in the set exploits a vulnerability we have not seen in the wild before. Microsoft is aware of the issue and notes users who have applied MS11-073 are fully protected.
The files stand out from the common targeted attacks because a Microsoft Word document file is paired with a .dll file. Usually, targeted attacks involve one file which drops malware. The pair would most likely arrive to the target wrapped in an archive file attached to an email. It is common to see document files sent by email inside an archive, but typically, you would not see .dll files ever sent by email.
The exploit makes use of an ActiveX control embedded in a Word document file. When the Word document is opened, the ActiveX control calls fputlsat.dll which has the identical file name as the legitimate .dll file used for the Microsoft Office FrontPage Client Utility Library. If the exploit is successful, malware is dropped onto the system. The .dll file must have the file name fputlsat.dll in order to work, so if users see this file name sent along in an email with a document file, they should be alerted. After a successful exploit, fputlsat.dll is deleted and then replaced with the file Thumbs.db. The attacker uses Thumbs.db because the file name is a common file created by Windows when thumbnail view is used. It is also hidden from normal view on a computer with default settings.
Symantec detects the document file as Trojan.Activehijack. We will follow with an update when we have further details about the vulnerability being exploited in this attack. Users are advised to be wary about .dll files attached to emails unless there is special reason for it to be there. We also recommend users apply the patch for MS11-073, as well as all the latest patches, to mitigate the risk of being infected by targeted attacks.