Yesterday, Microsoft issued Security Advisory 2953095 to announce a vulnerability in Microsoft Word 2010 that could allow remote-code execution, “…if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same users rights as the current user.”
As you may know, EnCase Analytics is designed to provide early representations of anomalous behavior on network endpoints, so it can be used to scan for signs of the exploit. One anomaly likely to be seen in this particular exploit that can be found by EnCase Analytics is the execution of the backdoor that is dropped by the main shellcode. According to Microsoft’s advisory, the backdoor is an executable, svchost.exe, that is run from the temp directory. As most security and IT experts know, svchost.exe typically does not execute from the temp directory, but usually in the Windows system32 folder.
Because EnCase Analytics collects and aggregates endpoint data across an entire enterprise, with this tool, you can visualize common process filenames that are associated with multiple file paths across your organization. By doing so, you can quickly identify anomalies such as processes named svchost.exe that are executed from an atypical file path. Detecting such an anomaly would identify a symptom of a threat like the one documented by Microsoft yesterday without the need for a signature. The use of such technology would also ensure that future threats leveraging similar techniques can be identified even before an official advisory is issued.
Have a Question or Comment? I welcome discussion in the Comments section below.
Alfred Chung is the Product Manager for EnCase Analytics at Guidance Software.