Adobe Flash zero-day shows a Chinese connection

Permit me to start with a truism: In the world of computer forensics, you never really know anything for sure. With that as a given, the case of the new Flash zero-day exploit keeps getting curiouser and curiouser, and “China” keeps popping up.

Yesterday Adobe confirmed the critical Flash zero-day bug. This previously unknown security hole was discovered as an embedded Flash .swf file object inside a Word document sent via email. In her Contagio Malware Dump blog, researcher Mila Parkour gives extensive details about the .swf file and the infected .doc file that’s making the rounds.

This is no fractured-English, “all your base are belong to us” attack. It’s a very sophisticated, targeted message with a compelling — and potentially disastrous — attachment.

The email message with an infected attachment that Mila describes appears to come from a Hotmail account. It was sent on April 8. The subject of the message is “Disentangling Industrial Policy and Competition Policy in China.” The body of the message says, in part:

…the current issue of the ABA Antitrust Section’s Antitrust Source may be of interest. It contains interviews of the heads of the sections devoted to AML enforcement within MOFCOM, NDRC and SAIC. In addition, it conatins a worthwhile article on “Disentangling Industrial Policy and Competition Policy in China”…

There’s an attachment to the message, a Word 2003-2007 .doc file called, you guessed it, “Disentangling Industrial Policy and Competition Policy in China.doc.”

It’s first-class bait. The American Bar Association (ABA) has an Antitrust Source newsletter. The current issue of that newsletter contains four articles from a symposium on Chinese competition law, one of which is called “Disentangling Industrial Policy and Competition Policy in China.” If you have an interest in Chinese law and happen to understand ABA jargon, you may even be able to translate the body of the message: AML is China’s new Anti-Monopoly Law; MOFCOM is China’s Ministry of Commerce; NDRC is China’s National Development and Reform Commission; and SAIC is the State Administration for Industry and Commerce.

It’s fair to say that the message was designed to catch the eye of English-speaking attorneys with an interest in Chinese competition law. It’s spear phishing with a very sharp spear. As Parkour says, “The recipients of this message included people whose names you can find in Wikipedia and assistants of former high-ranked politicians who are now working at global consulting companies.”

The .doc file isn’t perfect; Mila found that opening the file with Word 2010 simply crashed Word. No harm, no foul. In some cases, Word 2010 would open a clean copy of the file, without an embedded Flash component. Word 2003 appears to be immune. Word 2007 is a different story.

Opening the .doc file on a Windows 7 system running Word 2007 installs backdoor code on the system. Based on the description in the article, it looks like the backdoor will only continue to work in the current session. If the user logs off or reboots, the backdoor disappears and will only appear again if the user opens that same doctored document.

Opening the .doc file on a Windows XP system running Word 2007 requires user interaction — you have to click on the header and then click on the Flash object. But if you activate the Flash object manually, the Flash-based Trojan replaces the system file mspmsnsv.dll with a completely bogus version, and the registry is altered to start the program automatically each time Windows XP restarts. Researchers are currently identifying what this altered mspmsnsv.dll actually does. This altered mspmsnsv.dll is identified as a Trojan by 18 out of the 41 antivirus programs currently used in the Virustotal scan.

Here’s where the China part comes in. Remember my earlier admonition: It’s entirely possible that this Trojan is so clever it’s merely trying to make researchers think it originated in China. Still, the evidence is worth considering.

Infected systems phone home, setting up an FTP connection, and in this case the address they phone is hard-coded: 123.123.123.123. That IP address belongs to the China Unicom Beijing province network. The session contains a User Agent field, with the string zh-cn, which is defined as Chinese (PRC).

Every Word document has a CodePage. When Word opens the document, it uses the fonts defined by the CodePage to display the document on the screen. Typically the CodePage is set by the template used to create the document. The “Disentangling Industrial Policy and Competition Policy in China.doc” CodePage is Windows Simplified Chinese (PRC, Singapore).

Are we seeing yet another sophisticated attempt to infect and suck data out of PCs belonging to a specific group of people with an interest in China? Could the People’s Republic of China government be behind it? Tantalizing questions, and as yet we have no irrefutable answers.

This story, “Adobe Flash zero-day shows a Chinese connection,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.