« June 2011 · December 2011 · November 2014 »

August 2011
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
293031    
September 2011
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
2627282930  
October 2011
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      

Calendar:

  • 21.10.2011: Expanded Meta Data in Whitelisting API
  • 08.09.2011: On AV testing, comparisons, and value
  • 02.09.2011: New AV Test Suite
  • No entries for August 2011.
Newest first Oldest first

Friday, 17 June 2011

Flash Exploits on the Loose: Update Now

It is Critical You Update Your Adobe Flash Player


Hopefully you noticed that earlier in the week Adobe issued multiple security updates, which included an update for Adobe Flash Player by way of APSB11-18. What you may not know is that the issue fixed by this update, CVE-2011-2110, is being exploited in the wild on a fairly large scale. In particular this exploit is showing up as a drive-by in several legitimate websites, including those belonging to various NGOs, aerospace companies, a Korean news site, an Indian Government website, and a Taiwanese University. The links are also being used in targeted spear phishing attacks designed to lure particular individuals into clicking the links with hopes of compromising their machines. In case there is any doubt at all, this is very bad. If you run a version of Adobe Flash that is older than 10.3.181.26 (or 10.3.181.24 for Android), then is is absolutely critical that you update your Flash Player.

You can check your Flash version by clicking here.

Background on Recent Flash Exploit Activity

In the last three months Adobe Flash has taken quite a beating. Adobe has issued multiple security advisories and product security bulletins that include updates/patches for weaponized exploits that exist in the wild for CVE-2011-0609, CVE-2011-0611, CVE-2011-0627, CVE-2011-2107, and most recently CVE-2011-2110. In particular CVE-2011-0609 and CVE-2011-0611 were also exploited very widely by what could be called APT actors. The 0609 and 0611 exploits showed up in Microsoft Word, Microsoft Excel, Adobe Acrobat [Reader], and on the web. These were used and are still being used very heavily in spear phishing attacks involving malicious attachments. However, the most recent activity involving CVE-2011-2110, has thus far only been observed being exploit through a web browser. The attackers have quite clearly modified their attack profiles to match the available exploit. This is not new at all, however, the explosion of this exploit into the web and from so many sources is a bit uncommon.

Shadowserver first learned of this most recent exploit last Thursday (June 9), when we received reports of both spear phishing and drive-by activity. Working with various partners, we have not yet been able to find a single instance of this exploit earlier than June 9th. At the time the issue had no CVE assigned and appears to have been rapidly patched by Adobe. Unless there were much earlier reports of this issue being exploit in the wild prior to last Thursday, this would be one of the fastest turn around (5 days) for a patch to Flash from the vendor that we have ever seen. That is the good news.

The Exploit

From a simple point of view, what you need to know about the exploit is that it's pretty nasty in that it will happen seamlessly in the background and not crash your browser. If you are visiting a compromised website that is exploit this vulnerability, you aren't likely to notice a thing. Of course if you are running NoScript or other similar plugins, you may notice attempts to load flash files or requests from third party websites, but that aside you won't see anything going on.

Exploit analysis is not my area of expertise, so I asked a friend of Shadowserver to help better explain what's going on. He tells us that this exploit takes advantage of a vulnerability in the ActionScript Virtual Machine. It then uses heap information leakage in order to avoid spraying the heap and crashing the process. The exploit is also able to bypass Window's data execution prevention (DEP).

The malicious code works by loading a flash file that has as parameter fed to it in the URI via a parameter called "info" that contains an encoded path to the trojan file to be downloaded. The value feed into the "info" parameter is a hexadecimal strings that in reality is text that has been zlib compressed and had an XOR applied to it. If the exploit is successful the text will be XOR'd and zlib decompressed to reveal a filename or full URL, this will be downloaded, and it will then be executed. Note that in the wild thus far the files to be downloaded have also all been observed to have been zlib compressed with XORs applied to them as well. As a result, these files will not flag or match any standard executable download signatures.

Exploit Sites in the Wild

We are aware of several sites in the wild that are either compromised and pointing to exploits or are actually housing the exploits themselves. In some cases a single site may be both compromised and housing the malicious download. Right now we only have a limited set of exploit sites we can share due to various restrictions, however, with thanks to the assistance of Mike from Zscaler we were able to pull in open source identification of several exploit sites in the wild along with refer information. This was able to greatly supplement the public list we could share already. Additionally, thanks to our friend Lotta from the US-Taiwan Business Council that has provided information and runs a public blog on attacks they see.

If you work at an organization with proxy or URL logs and can comb through them for matches against the string ".swf?info=" and share them with us, that would be greatly appreciated. Exploit sites with any referrers would be useful and if you allow it we would be glad to update the list of known exploit sites with what you provide. We also have a Snort signature below that can be run to identify these exploit sites.

Below is a recent list of known exploit sites that should be considered for monitoring, sinkholing, or blocking. Be advised that some of these are legitimate websites that have been compromised and that blocking them may impact business. We cannot attest to whether or not they have been fully cleaned up from their compromise.

Note: Do not visit these URLs as they are malicious and should be considered dangerous.

Domain & IP: news.ji0ns.com [74.63.110.42]
Malcious SWF: hxxp://news.ji0ns.com/c/ad1378.swf?info=02E6B1525353CAA8ADB5315755ACB1B04EB251AC31B4B5AFB531563157A835364B4E4CCDAA31B0577A7A7CAE776E
Malware URL: hxxp://news.ji0ns.com/naver/ad1378.bmp
Malware MD5: 11a1aa851d116fa5b9e420dfbb863626

Domain & IP: www.dmzcamp.com [61.109.247.112]
Malcious SWF: hxxp://www.dmzcamp.com/home/swf1/js/main.swf?info=02E6B1525353CAA8AD555555AD31B3D73034B657AA31B4B5AFB5B2B537AF55543549AEB550AC55303736B337AF51D3527B7AF4C66B7E
Malware URL: hxxp://www.dmzcamp.com/home/swf1/js/readme.txt
Malware MD5: 7e16515e00bf9e993637b2691e95e759

Domain & IP: www.ckps.com [207.71.5.57]
Malcious SWF: hxxp://www.ckps.com/page/main.swf?info=02E6B1525353CAA8AD555555AD31B45452AC31B4B5AF55323635AF5554AA51D3527B7ACFCD710C
Malware URL: hxxp://www.ckps.com/page/sp.txt
Malware MD5: 3ce1eade8e9dc9c6312828344efb11d0

Domain & IP: giantsoft.co.kr [222.122.84.48]
Malcious SWF: hxxp://giantsoft.co.kr/html/tmp/main.swf?info=02E6B1525353CAA8AD35B536B65153B43551AB31B4ADB154A8B552B3B7AB55B357AA35B1B6533357A851D3527B7A358175A0
Malware URL: hxxp://giantsoft.co.kr/html/tmp/filter.txt
Malware MD5: b11d876b6f67c902eb1c9ef332aefaf1

Domain & IP: 208.98.62.2
Malcious SWF: hxxp://208.98.62.2/main.swf?info=02E6B1525353CAA8AD4D48CAAAC9CEAA4949A849A835AC51D3527B7A29F37CD2
Malware URL: hxxp://208.98.62.2/c.txt
Malware MD5: N/A - link dead

Domain & IP: 208.98.62.29
Malcious SWF: hxxp://208.98.62.29/main.swf?info=02E6B1525353CAA8AD4D48CAAAC9CEAA4949A849C8AE35AC51D3527B7A23DA7C9B
Malware URL: hxxp://208.98.62.29/c.txt
Malware MD5: 5fccc053684f5cd06ba448b76e192509

Domain & IP: 70.39.121.8
Malcious SWF: hxxp://70.39.121.8/main.swf?info=02E6B1525353CAA8AD4D4DAA49CCAE494E48AEC9AA75AB51D3527B7A289F7CE9
Malware URL: hxxp://70.39.121.8/T.txt
Malware MD5: N/A - link dead

Domain & IP: www.vietnampig.com [203.169.204.149]
Malcious SWF: hxxp://www.vietnampig.com/demo/d/Y8SGNaxdmmncIZQC.swf?info=02e6898f3475b7310f548a76f4720f890d33ad51d3527b7a3dfd7c88
Malware URL: hxxp://www.vietnampig.com/demo/d/MKgUneCpISXUFODg.txt
Malware MD5: c9c58cab8441c07816727a7d9bb77cda

Domain & IP: www.ihear.co.kr [114.108.178.58]
Malcious SWF: hxxp://www.ihear.co.kr/data/log/main.swf?info=02E6B1525353CAA8AD555555ADB1B6323756A831B4ADB154A835335633AEB5B335AD4D4E48A831D7327F7A6F887714
Malware URL: hxxp://www.ihear.co.kr/data/log/122.exe
Malware MD5: N/A - link dead

Domain & IP: teamtrk.us [66.35.111.190]
Malcious SWF: hxxp://teamtrk.us/photos/cache/main.swf?info=02E6B1525353CAA8AD553337B65753B0AC5157AC55B2B255B355AC353436B432AF55B352B737A851D3527B7A49977549
Malware URL: hxxp://teamtrk.us/photos/cache/thumb.txt
Malware MD5: b2b50642d15396d473ae54f8e59f8474

Domain & IP: iir.nccu.edu.tw [140.119.170.31]
Malcious SWF: hxxp://iir.nccu.edu.tw/cscap/ENG/script/groupdown/main.swf?info=02E6B1525353CAA8ADB5B656A8B1313454AF313753AF5153AD3554343456AA0D8F09AD553454B05652AB3555B0555732B355B5A955345748B4AC31D7327F7A04C76FE0
Malware URL: hxxp://iir.nccu.edu.tw/cscap/ENG/script/groupdown/ser3k.exe
Malware MD5: cf5751f1457c11dbef31e91803c15187

Domain & IP: www.ushcime.com [210.56.53.991]
Malcious SWF: hxxp://www.ushcime.com/swf/main.swf?info=02E6B1525353CAA8AD4D484EAA494FA9494FACC9CEAE555435A935B1B6533357A851D3527B7AD32E7007
Malware URL: hxxp://210.56.53.99/swf/filter.txt
Malware MD5: 6a61941b50ba975a9fb4652b8b746199

We may update this post in the near future to include the various compromised websites that are linking to these exploits.

Exploit Detection - Snort Signature

There may be a number of ways to detect this exploit, but right now an easy one (until something changes) is to look for requests to the malicious SWF files. We have a quick signature that will do this and we recommend deploying it and keeping an eye on it for sites to block. You will likely want to investigate an hits to make sure your systems were not compromised.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT: Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established; content:"GET /"; depth:5; uricontent:".swf?info=02"; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; sid:20110617;)

It is possible for this to false positive but based on various testing we have not seen this yet. Feel free to modify and improve as necessary or suggest changes. We hope to have this up at Emerging Threats soon. If you get any matches on this, please feel free to drop us a line. You can e-mail me directly if you have any exploit sites you'd like to share at steven [at] shadowserver [dot] org.

Conclusion

To make a long story short, if you or your organization runs Adobe Flash and you're not keeping up on these patches -- you are in bad shape. There has been an ongoing assault against Flash Player for several years now, but especially so in the last three months. These exploits have not even been limited to a single platform (e.g., Windows, Mac, Linux, and Android alike are affected). However, the vast majority (if not all) of the exploits in the wild thus far, have been against Windows-based systems. It is imperative that anyone running Flash on a Windows system to keep it up to date. You should keep everything up to date, but products like Flash and Java have often been sore spots for people and organizations to keep updated. If you at all care about your data and want to keep [foreign] intruders out, we would highly advise you take these security updates seriously and apply them immediately. Networks are being ransacked everywhere and these bad guys unfortunately already have a big head start. If you do come across exploit activity you can share, please do drop us a line.

=>Posted June 17, 2011, at 06:17 AM by Steven Adair