« February 2008 · August 2008 · September 2010 »
|
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- 26.06.2008: FIRST Conference - Vancouver, Canada
- 24.06.2008: FIRST Conference - Vancouver, Canada
- 04.06.2008: AbuseSec08 Conference - Karlsruhe, Germany
- 27.05.2008: See below.
- 23.05.2008: AUS-CERT Conference - Gold Coast, Australia
- 14.05.2008: Full list of Injected Sites
- 13.05.2008: SQL Injection: The Game
- 07.05.2008: New SQL Injection Attacks and New Malware: winzipices.cn
- 24.04.2008: Thousands of More Hacked Websites Targeting Your Passwords
- 20.04.2008: Entropy and Bot Counts
- 10.04.2008: DSL Reports under DDoS Attack Again
Tuesday, 27 May 2008
When Adobe Flash Attacks
In case you have not heard, it's pretty important that you make sure you have updated your Adobe Flash Player to the latest version (9.0.124.0 at the time of this writing). Why you ask? Well it seems that several websites are now taking advantage of a flaw in the Adobe Flash Player previously covered by CVE-2007-0071. It appears that Symantec started noticing this activity being exploited in the wild and initially labeled it a 0-day threat as they thought it affected 9.0.124.0. However, they have since posted an update potentially changing this view. Both Symantec and the Internet Storm Center have posted information surrounding the vulnerability and some of the websites that are actively exploiting it. It would appear this is in fact fully patched with the latest version and is the same vulnerability described by CVE-2007-0071.
We decided to look into this a bit more and see what other websites are out there exploited this vulnerability and what they attempted to install. It did not take us long to find several other websites beyond those already mentioned. It would appear that this exploit has been pretty widely known within the Chinese community for the past two days or so. We were able to find several websites from our own lists and also with the help of the website Lineage Reference Library Website. Please note that this website catalogs malware and has several URLs to malicious websites and files that should not be visited.
Exploit Websites & Tangled Malware Web
Several of the websites that are taking advantage of this flash vulnerability are ones you might already recognize. Several of them show up on the list of domains that were modified as a result of the mass SQL injection attacks that have been ongoing. Some of the other domains are new or just lesser known. In most cases they house several other exploit pages designed to hack you however they can. It just so happens they have all recently added this Adobe Flash Player vulnerability to their arsenal. We are not claiming to have all of the technical details here, as we are just working with everyone else in the community to figure out what's going on. However, we can tell that there are a few variations of the exploit that seem to only work with particular versions of the Flash Player and must be delivered to a particular browser. For example, loading a malicious .swf file that works in Internet Explorer will not work in Firefox and vice versa. In several instances the exploits will attempt to direct the user to a file matching their browser and Flash version, examples are to files like WIN%209,0,115,0ie.swf and WIN%209,0,115,0ff.swf.
With all that being said, we would like to share some of the websites that are attempting to take advantage of this vulnerability and spread malware. We will give you the domains, IP addresses, and file information as we have it right now. In no way is this meant to be a comprehensive list of all the domains and IPs involved, but it should be a good starting point to keep a look out for and perhaps take proactive steps with.
Note: Do not visit these URLs as they are malicious and should be considered dangerous.
Domain & IP: www.play0nlnie.com [125.46.104.172]
Malcious SWF: hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%209,0,115,0ie.swf
Malware URL: hxxp://www.play0nlnie.com/ax.exe
Malware MD5: 94237921f585b9926a4d37bd43a4b101
Domain & IP: www.tongji123.org [60.190.118.43]
Malcious SWF: hxxp://www.tongji123.org/i1231.swf
Malware URL: hxxp://www.tongji13.org/soc.exe
Malware MD5: d06728a40f94710ad45415cc43f58d0d
Domain & IP: www.dota11.cn [221.206.20.145]
Malcious SWF: hxxp://www.dota11.cn/4561.swf -> hxxp://www.woai117.cn/WIN 9,0,115,0i.swf [new domain, same IP]
Malware URL: hxxp://www.woai117.cn/117.exe
Malware MD5: 6be5a7b11601f8cb06ebba08c063aa09
Domain & IP: www.woai117.cn [221.206.20.145]
Malcious SWF: hxxp://www.woai117.cn/4561.swf -> hxxp://www.woai117.cn/WIN 9,0,115,0i.swf [new domain, same IP]
Malware URL: hxxp://www.woai117.cn/117.exe
Malware MD5: 6be5a7b11601f8cb06ebba08c063aa09
Domain & IP: user1.12-27.net [121.10.108.28] & 513389.cn [121.10.108.28]
Malcious SWF: hxxp://user1.12-27.net/flash1.swf
Malware URL: hxxp://513389.cn/bak.css
Malware MD5: 5b1d4b0c29a95a51f23caa07ef0fafb0
Domain & IP: bb.wudiliuliang.com [59.34.197.14] & www.iphone001.com [74.222.134.204] & qisihuisheng.net [66.186.58.234]
Malcious SWF: hxxp://bb.wudiliuliang.com/ie1.swf -> www.iphone001.com/ie/WIN 9,0,115,0i.swf
Malware URL: hxxp://qisihuisheng.net/swf/sw.exe
Malware MD5: cd5c9a6de9b2e987e0fc951c784c3816
Domain & IP: ageofconans.net [59.34.197.14]
Malcious SWF: hxxp://ageofconans.net/4561.swf -> hxxp://ageofconans.net/WIN 9,0,115,0i.swf
Malware URL: hxxp://ageofconans.net/flash.exe
Malware MD5: 666378fad8b2c8476320066e52d29498
Domain & IP: www.guccime.net [121.10.105.109]
Malcious SWF: hxxp://www.guccime.net/i1231.swf
Malware URL: hxxp://www.guccime.net/0.exe
Malware MD5: 7806c353c9643b85d9a7229be7273de0
Domain & IP: user1.isee080.net [121.10.105.109] & user1.12-26.net [121.10.105.109]
Malcious SWF: hxxp://user1.isee080.net/flash1.swf
Malware URL: hxxp://user1.12-26.net/bak.css
Malware MD5: 7806c353c9643b85d9a7229be7273de0
Domain & IP: www.zuoyouweinan.com [66.186.58.234] & bb.wudiliuliang.com [59.34.197.14]
Malcious SWF: hxxp://www.zuoyouweinan.com/exe.swf
Malware URL: hxxp://bb.wudiliuliang.com/1.exe - 404 not found
Malware MD5: N/A
Domain & IP: www.psp1111.cn [60.190.118.66]
Malcious SWF: hxxp://www.psp1111.cn/flash/versionie.swf -> hxxp://www.psp1111.cn/flash/WIN%209,0,115,0ie.swf
Malware URL: hxxp://www.psp1111.cn/test.exe
Malware MD5: e082868ee2f7ef2c7a955913451a7f01
Domain & IP: www.lkjrc.cn [121.10.107.64] & www.nokia8.com.cn [121.10.107.64]
Malcious SWF: hxxp://www.lkjrc.cn/i1232.swf
Malware URL: hxxp://www.hokia8.com.cn/abe.exe
Malware MD5: 2a733d134cea947cb18f95f2d4b5de3f
Great a nice long list here that will be outdated in a matter of hours or days. In any event, if it helps one person out there, then we will continue to sleep easy. What you will notice above is that there is a some overlap in domain names, IP addresses, and certainly file names. It appears that some of these websites are hosted on the same IP address. Some of them seem to use the same files, while others link to different files or even non-existent files. It is quite a tangled web here and this is probably just the tip of the iceberg.
Our Findings
In many cases for the above URLs there are more links to malicious .swf files but we have chosen to only include certain ones. This is for ease of use and we are posting the ones we actually tried and had exploit our test machine. Common file names that we saw throughout the websites for the .swf files are as follows:
ie1.swf
ie2.swf
1231.swf
1232.swf
4561.swf
4562.swf
i1232.swf
i1231.swf
flash1.swf
flash2.swf
WIN 9,0,115,0i.swf
WIN 9,0,115,0f.swf
WIN%209,0,115,0ie.swf
WIN%209,0,115,0ff.swf
The file names you see above are the ones we actually tried and had exploit our testing machine. All of the URL paths to includes those of the malware came directly from pcap files from successful exploitation. They are subject to change at any time. We also noticed that it seemed that the exploit tended to succeed on its first try much more frequently in Internet Explorer than with Firefox. The exploits would still work for the Firefox versions, but in several cases required the page to be reload multiple times before the exploit would succeed.
Final Recommendations
Did we mention that you should UPGRADE YOUR FLASH PLAYER (if you haven't already)? It's always a good idea to keep your software up-to-date, but it should surely be a priority to do so now. It also wouldn't hurt to block the aforementioned host names and possibly IP addresses (careful in case the IP hosts something legit -- not too risky here though). Finally, you could probably keep an eye out for some of the above file names as well. This can lead to some false positives and certainly won't catch them all, but it can't hurt. Let us know if you see anything else in the wild or if you have any feedback.
=>Posted May 27, 2008, at 09:58 PM by Steven Adair
