Security Hero Rotating Header Image

Ichitaro Exploits Progress

Ichitaro Exploits Progress

On March 11, Regional TrendLabs in Japan found a zero-day exploit attack that targeted Just System’s well-known Japanese word-processor, Ichitaro. The malware exploting the vulnerability was noticed to arrive via spam and via malicious websites using the Ichitaro file extension name, .JTD.

The malware ( TROJ_TARODROP.BA) drops a file {random letters}.tmp ( TROJ_DROPPER.PAO) that in turn drops another file named  beer80.exe ( TROJ_AGENT.KLQW).

Notable of this scheme is that after TROJ_TARODROP.BA and TROJ_DROPPER.PAO have executed their routines, the last dropped Trojan (TROJ_DROPPER.PAO) creates non-malicious files using them to overwrite itself and the initial TROJ_TARODROP.BA. Thus, when the user checks the files after the infection is completed, all the user will see are legitimate Ichitaro files (this is considered to be a stealth technique applied by the malware).

Unknown to the user at that point is that the final payload TROJ_AGENT.KLQW is already and still in the system. This Trojan (TROJ_AGENT.KLQW) gathers the following information from the affected system then sends the data to a remote site:

  • Computer Name
  • IP Address
  • Process ID of (injected) legitimate process, svchost.exe
  • OS version
  • Locale Information

Figure 1. the sleight of hand is performed by the second malware in line, TROJ_DROPPER.PAO.

According to Trend Micro researchers, the initial attack on Ichitaro happened in August 2006. Since then, every time a new Ichitaro vulnerability is found, cybercriminals are expected to attempt to exploit it–and they do so with increasing social engineering savvy. Past attacks followed the same straightforward drill: the first malware exploits the vulnerability and the second one conducts the main routines such as autostart and dropping files, etc. It is only recently (in 2008) we have begun to see the additional overwriting trick meant to fool users.

Previous Ichitaro-related attacks include the following:

New Ichitaro zero-day exploit discovered
Ichitaro Exploited Anew
A Closer Look at Ichitaro

Information on this vulnerability, as well as the patch provided by Just System, can be found on their website.

Read the Japanese writeup of this attack from the Japanese Malware Blog.

Post from: TrendLabs | Malware Blog – by Trend Micro

Ichitaro Exploits Progress


Leave a Reply

Powered by WP Hashcash

Spam Protection by WP-SpamFree

Bad Behavior has blocked 425 access attempts in the last 7 days.