Vulnerabilities in Ichitaro Word Processor Abused

Justsystem Corporation reports that one widely known word processor in Japan named Ichitaro is affected with dual vulnerabilities, allowing execution of code remotely, that cyber-criminals have been abusing for contaminating end-users during September-October 2010. A patch for these flaws is already out which Justsystem Corporation the vendor provided.

First released during the DOS time (MS-DOS), Ichitaro, which Justsystem developed, uses .JTD as its file extension.

Reports Trend Micro the anti-virus company, a pair of vulnerabilities of the code execution type namely CVE-2010-3916 and CVE-2010-3915 was uncovered during September 2010 as 0-day flaws. These zero-days are capable of getting exploited via maliciously created JTD files just like hackers target Adobe Reader flaws through malevolent PDF documents.

Security researchers at Trend Micro identified these vulnerabilities as planting a Trojan called TROJ_DROPPER.QVA that in turn pulls down and runs the BKDR_GOLPECO.A backdoor. They explain that TROJ_DROPPER.QVA finds out if the infected computer owner has administrative privileges based on which it employs various methods for making sure that it'll become active whenever the system boots up. SoftPedia published this on November 5, 2010.

Meanwhile, another security company McAfee Labs too has been witnessing several maliciously created JTD documents containing a Trojan identified as Exploit-TaroDrop.i. This Trojan has been abusing the reported vulnerabilities starting mid-September 2010. When the said infected Ichitaro files are launched a variety of backdoor trojans get planted; however, most of these trojans disguise as "sucost.exe" files, while representing the family of the 'BackDoor-DKI' Trojan alternatively "Poison Ivy."

Typically, these backdoors establish links with a C&C (command-and-control) server and reportedly insert strings into the 'Internet Explorer' and 'Explorer' processes. Thereafter they wait before planting more malicious programs downloaded from remote websites that let hackers to issue "shell" instructions. The instructions result in system compromise so that the hackers can steal files, keystrokes etc. Evidently, different kinds of attacks with exploits exist that utilize document files like MS Office and .pdf files, which plant BackDoor-DKI.

All together, these malwares can wholly hijack a system. However, the risk is non-trivial since the above vulnerabilities along with earlier Ichitaro flaws were previously exploited that imposed higher risks.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 11/19/2010