New York - December 10, 2006 – On the 7th of December, 2006, MessageLabs proactive heuristic anti-virus engine Skeptic detected and stopped a new targeted email attack which exploited a new, previously unknown, Microsoft Word vulnerability. This attack was different to previous attacks stopped by MessageLabs and did not fit with the techniques used by previously identified targeted attack senders.

MessageLabs recommends all email users outside the MessageLabs network do not open documents from untrusted sources and use extreme caution even when opening documents from trusted sources.

This attack used a new, previously unknown and unannounced, zero-day vulnerability in Microsoft Word. Although, the attack itself only lasted four seconds and consisted of three copies of the same malware sent to very specific people in high-profile organizations, undetected copies could compromise the security of the targeted organizations. The attack appears to be designed to access confidential information through the victim’s computer.

In this instance, the attack emails originated from a Yahoo email account which the attacker unusually accessed through webmail from a mobile device CDMA link to further hide his identity.

Detection of this attack was only possible due to highly sophisticated heuristic rules MessageLabs is able to put in Skeptic working in a fully managed environment with a global view of all threats and email traffic.

The content of the emails focused on current issues in Iran and questions around its nuclear program and appeared to be highly targeted to the recipients to appear trustworthy. The email contained an attachment called "Rapid Response issues.doc," which contained the malware exploiting the new zero-day unannounced Word vulnerability.

The vulnerability would then cause MS Word to drop an executable file, executing it and exiting. The executable file, when executed, then drops another, now clean, word document with a similar name to the original file, and another executable file. The dropped clean word document is then opened and it indeed contains some text about the political situation around Iran allowing the recipient to think that nothing unusual has happened. However, the dropped executable file gets executed by a dropper. After that, it remains resident in memory and does a number of malicious actions, including waiting for remote commands sent to another email address, checking a particular web address - possibly, for updates, or for getting remote commands - and gathering information about the system it is executed on. When specific information about the system is collected, it sends it to a particular email address.

Over the past eighteen months MessageLabs has been tracking three gangs of criminals actively involved in similar industrial espionage attacks; however this particular attack does not fit any of the known patterns, and is likely to be from a new group of criminals entering the field of electronic industrial espionage.

Following usual procedure in such circumstances, MessageLabs alerted the wider security community to the attack and the new vulnerability by sharing samples of the malware used in this attack. These vendors will likely develop and issue a signature for this attack over the coming days and take steps to alert their customers. MessageLabs clients are and were fully protected from this attack from its first copy and are protected from all new targeted attacks going forward.

Note: This vulnerability has not yet been assigned a name due to its brand new nature.

About MessageLabs

MessageLabs is a leading provider of integrated messaging and web security services, with over 21,000 clients ranging from small business to the Fortune 500 located in more than 100 countries. MessageLabs provides a range of managed security services to protect, control, encrypt and archive communications across Email, Web and Instant Messaging.

These services are delivered by MessageLabs globally distributed infrastructure and supported 24/7 by security experts. This provides a convenient and cost-effective solution for managing and reducing risk and providing certainty in the exchange of business information. For more information, please visit www.messagelabs.com.

Media Contacts:

US:
Marissa Vicario, MessageLabs, +1 646 519 8116, mvicario@messagelabs.com,
Hill & Knowlton for MessageLabs, +1 212-885-0552, messagelabs@hillandknowlton.com

EMEA:
Paul Wood, MessageLabs, +44 (0) 1452 627705, pwood@messagelabs.com
Weber Shandwick for MessageLabs, +44 (0) 20 7067 0500, mlukpr@webershandwick.com

APAC:
Andrew Antal, MessageLabs, +61 2 8208 7171, aantal@messagelabs.com
Spectrum Communications for MessageLabs, +61 2 9954 3299, messagelabs@spectrumcomms.com.au