very lowなダウンローダたちを起動するようなTargeted Attackが横行していてCVE-2006-6456を使う.docファイルみたいだけど、詳細はそれぞれ違うって、しらべたら

During my analysis I was surprised by some data about the number of samples picked up for Trojan.Mdropper.X. For most of these attacks the number of samples received for a single family is very low (usually less than five samples), and allows vendors to speak of “limited targeted attacks”. However for Trojan.Mdropper.X the situation was slightly different. The set of Mdropper.X samples exploiting the same CVE-2006-6456 vulnerability has up to 30 different .doc files at the moment and started to increase quickly in the last few months.

調べてみたら、中国で2007 Doc Binderってツールで作られたＷｏｒｄファイルらしかった。ツール系でランダムなExploit作られると解析系はつらいよねぇ・・

These were my thoughts until yesterday, when I found a bizarre program on a Chinese Web site. The Chinese name of this program means “2007 Doc Binder”, and after further analysis I discovered that it’s a kind of toolkit that’s able to generate MS Word samples that exploit the CVE-2006-6456 vulnerability.

関連URL

• 知識ゼロでも数分で脆弱性悪用コード作成が可能に、中国のWebサイトでツール提供 - ITmedia エンタープライズ