Targeted Attacks in 2011 Using Ichitaro Zero-Day Vulnerability

We have been observing since January multiple targeted-attacks that use a zero-day vulnerability found in the Japanese word processor software, Ichitaro. JustSystems, the makers of Ichitaro, have already shipped a patch to fix this problem and users who run Ichitaro should install this patch. Its worth noting that initially this patch will only be available for Ichitaro 2009-2011. Patches for other versions will be released at a later date.

The malware that uses this vulnerability is currently detected as Trojan.Tarodrop.L by Symantec security products, although previous definitions had proactively detected this as Trojan.Tarodrop.

This vulnerability may allow remote code execution through heap corruption in the memory management program code in Ichitaro. The embedded file related to HTML triggers the vulnerability and a tampered value of the embedded file size muddles the software. It overflows a heap area with the data of the embedded file.

A shell code in another area of the malicious Ichitaro file can execute by overwriting the data as shown in the figure below:

The aim of the attackers is to gain control of the compromised computer by opening a back door. The malicious Ichitaro files contain more malware that it drops and runs, which is detected as Backdoor.Trojan by Symantec security products.

Trojan.Tarodrop.L files use the Ichitaro compression format legitimately. Deflating the contents of the document can decrease the file size and therefore it is able to hide the large amount of data needed for making the heap corruption and shellcode.

In general, targeted attacks are difficult to find. To protect computers from such attacks the software should be kept up-to-date by installing security updates and files sent from unknown sources should not be opened without considered opinion.

Finally, please keep antivirus definitions, IPS signatures, and firewall rules up-to-date.