Unusual Personalized Assaults with Office and DLL Files in E-mail Attachments

Researchers from Security Company Symantec report that they've detected one Trojan exploiting an earlier patched security flaw which's existent within Microsoft Office. SC Magazine published this dated February 9, 2012.

Actually, attackers combine a Word .doc file of Microsoft with another file, which has a .dll extension, to make the attack outstanding vis-à-vis normal personalized assaults. Commonly in personalized assaults, there is a file that installs malicious software. The combined files possibly reach the target after being enclosed into an archive in the form of a file attachment inside an electronic mail. But, while it's usual for finding e-mails sent with Word files enclosed within an archive, it isn't common to find e-mails having DLL file attachments.

Moreover, the exploit in the attack utilizes an ActiveX Control that is implanted within certain Word .doc file, which if viewed, prompts the ActiveX Control to summon fputlsat.dll that is identical to any genuine .dll file in terms of filename wherein a DLL file is utilized for the Client Utility Library of Microsoft Office FrontPage. Meanwhile, in case of a successful exploit, malicious software gets installed onto the computer.

Evidently, for enabling the file with the extension .dll to work, it should be named as fputlsat.dll. Thus when e-mail recipients find this particular filename combined with an MS .doc file in a given attachment, they should become cautious. But, if they allow the exploit to work, the fputlsat.dll file will get removed followed with its substitution by yet another file named Thumbs.db. This new file is frequently found as a creation of Windows whilst utilizing thumbnail view. Further, Thumbs.db can't be seen within a PC's 'normal view' given the system's default settings.

In the meantime, the Trojan, which Symantec named "Activehijack," exploits a security flaw that has been rated "important" for which Microsoft released a patch through the MS11-073 bulletin during September 2011.

However, Joji Hamada, senior researcher at Symantec suggests that users can avoid the attack by making sure the patch has been deployed, while also staying vigilant of e-mails, which carry DLL files. SC Magazine published this on February 9, 2012.

Related article: Unsolicited E-mails Touch Record High, Says Commtouch Report

» SPAMfighter News - 2/16/2012