Active exploitation of Excel vulnerabilityMarch 10, 2008 – 7:00 PM
The US-CERT has published a warning on active exploitation of a vulnerability in Microsoft Excel, described in Microsoft Security Advisory 947563. We can confirm these attacks and have been tracking several exploits over the last few days.
It should be noted that the incidents we are aware of have been limited to a very specific targeted attack and were not widespread. In total, we established approximately 21 reports of attacks using only 8 different files, from within the same two communities, so far.
Below are the md5sum’s for the individual exploits:
d03254bbcb124a20478287a77199a001 718e4ff4691f8cefcf296607b3b53b6c 3b4409efea04c003e91b38ed8b428706 2511f821af2d5bea80899bf2ce716b34 15a10055acbc901504708249848228fb 51b3d57064e182eee8a702abd4ee43fe 9983c89a4c148f8aee0a80271ad0a584 69014e152d93f4bc09ce5894d5e793aa
Throughout the incident, we worked together with various anti virus vendors to ensure coverage. Below are some of the signatures we know of that catch iterations of these attacks. Note that some are relatively generic and catch multiple other exploits as well:
Trend Micro: TROJ_MDROP.AH AntiVir: TR/Drop.MSExcel.Agent BitDefender: Exploit.MSExcel.Dropper Fortinet: MSExcel/MalExcel.B!exploit F-Secure: Trojan-Dropper.MSExcel.Agent Ikarus: Trojan-Dropper.MSExcel.Agent Kaspersky: Trojan-Dropper.MSExcel.Agent McAfee: Exploit-MSExcel.p Microsoft: Exploit:Win32/Exrec.A NOD32: X97M/TrojanDropper.Agent.L Symantec: Trojan.Mdropper WebWasher: Trojan.Drop.MSExcel.Agent
We are aware that some of the samples connect back to update-microsoft.kmip.net (18.104.22.168) on port 80, to retrieve the IP address of the actual control server.