MS Word Exploit Creation Tool

In these days of “zero-day”, I’ve analyzed many malicious files exploiting some of the recent MS Office vulnerabilities for Word, Excel and PowerPoint. The "Trojan.Mdropper" and “Trojan.PPDropper” families have grown very quickly in the last year, and I was trying to come up with some numbers by looking at the samples received here in the virus lab.

During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X. For most of these attacks the number of samples received for a single family is very low (usually less than five samples), and allows vendors to speak of “limited targeted attacks”. However for Trojan.Mdropper.X the situation was slightly different. The set of Mdropper.X samples exploiting the same CVE-2006-6456 vulnerability has up to 30 different .doc files at the moment and started to increase quickly in the last few months.

There was no evident reason behind these statistics and it seemed obvious to me that one vulnerability could be easier to exploit (or more effective) than others, and this could influence the underground trading of MS Office exploits. These were my thoughts until yesterday, when I found a bizarre program on a Chinese Web site. The Chinese name of this program means “2007 Doc Binder”, and after further analysis I discovered that it’s a kind of toolkit that’s able to generate MS Word samples that exploit the CVE-2006-6456 vulnerability.