« June 2009 | Main | September 2009 »

8 posts from July 2009

2009.07.24

Who is Exploiting the Adobe Flash 0-day? - Part 2

The new Flash 0-day has opened multiple avenues for malware authors. In my last article I showed how this vulnerability is being exploited via the PDF reader's support for SWF files.  However, this vulnerability can just as easily be exploited in a standard drive-by fashion purely in Flash as well.  This is precisely what has started to happen.

Here is the snippet of the javascript which is actively targeting this 0-day vulnerability.

Exploit

Continue reading "Who is Exploiting the Adobe Flash 0-day? - Part 2" »

FE Malware Researcher on 2009.07.24 in Malware Research | | Comments (2) | TrackBack (0)

2009.07.23

Who is Exploiting the Adobe Flash 0-day?

It looks like Zero-day discoveries for the month of July are not quite over yet. I have already talked about two vulnerabilities inside MS products earlier this month:

July 7th 2009:   Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?
July 14th 2009: Who is Exploiting the Office Web Components 0-day?

Then came the 3rd one inside Mozilla FireFox 3.5, almost at the exact same time.  Sadly enough, this article is about another 0-day (fourth in a row) which has recently been discovered in the Adobe Flash player.  As of today, this vulnerability is unpatched and is currently being exploited in the wild. To make it even worse, this vulnerability may also be exploited via 'Adobe PDF Reader' by misusing its support for the SWF component.  According to Adobe, 'Adobe Reader' , 'Acrobat 9.1.2', and 'Adobe Flash Player 9 and 10' are vulnerable to this attack.

Who is trying to exploit this vulnerability?  To find this answer I ran one of the malicious pdf files (09a0f7aae0e22b5d80c7950890f3f738) inside my sandnet, running the Adobe Reader 9.1. As expected, in a few seconds I observed Adobe Reader crash after creating and executing a new file, SUCHOST.EXE (96cb88dfc54f765c30d44ba60117fa72).

Continue reading "Who is Exploiting the Adobe Flash 0-day?" »

FE Malware Researcher on 2009.07.23 in Malware Research | | Comments (8) | TrackBack (0)

Heap Spraying with Actionscript

Why turning off Javascript won't help this time

Introduction

As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.

Background Summary

Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.

But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the %ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll and %ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]

Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash.

Continue reading "Heap Spraying with Actionscript" »

FE Malware Researcher on 2009.07.23 in Exploit Research | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , ,

2009.07.21

Bad Actors Part 7 - 3fn (Or: Cutwail - How to do it right)

“Wait … *beep beep* back up for a second, Alex.  I heard 3fn was brought down by the FTC!” 

That would be correct!  On June 4th the FTC served a takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert, APX Telecom, APS Communications) off the Internet.  I was approached by law enforcement looking for evidence of malicious activities, and luckily, I was in the midst of writing up an article for my Bad Actors blog series.  I decided to wait until a little time had passed before publishing details as not to tip off 3fn and possibly ruin an investigation.  (Note that the investigatory group that approached me was at the federal level, but was not the FTC)

Below you’ll find my analysis of their IP blocks and a large amount of data about the Bad Actors whom they supported.  Most of the links below are completely Not Safe For Work, possibly malicious, and frankly, many of them are disgusting in name as well as content.  It’s not advised that you actually visit any of them.  I also have more content that I didn't post, and if you're interested in it, feel free to drop me a line.

Continue reading "Bad Actors Part 7 - 3fn (Or: Cutwail - How to do it right)" »

FE Malware Researcher on 2009.07.21 in Bad Actors | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

2009.07.14

Who is Exploiting the Office Web Components 0-day?

Just a day before Patch Tuesday, when Microsoft is going to release couple of patches for DirectShow vulnerabilities including MSVIDCTRL 0-day , IE (Internet Explorer) users are hit by another surprise. A new 0-day vulnerability has been identified in MS office web component and is currently being exploited via the IE scripting interface. There is no patch available at the moment but MS has come up with a workaround.

One of the malicious URL which has been found to exploit this vulnerability is hxxp://www.fdsdffdfsf.cn/of.htm.

Continue reading "Who is Exploiting the Office Web Components 0-day?" »

FE Malware Researcher on 2009.07.14 in Botnet Activities / Outbreaks | | Comments (5) | TrackBack (0)

2009.07.11

DDOS Madness Continued...

The DDOS attacks which started around July 4th 2009 and paralyzed some important US and South Korean web sites have come to an end, but the madness behind these attacks is not quite finished yet.

The MYDOOM variant (msiexec1.exe: 0f394734c65d44915060b36a0b1a972d) which initially downloaded a DDOS component has recently been seen to download another component (wversion.exe: f5c6b935e47b6a8da4c5337f8dc84f76) whose sole purpose is to permanently damage the infected systems hard drives. This hard drive killer component acts like a time bomb which will start triggering from July 10th onwards. Sadly it means that today, on July 11th, all those infected pcs which were up and running yesterday are already damaged.

Continue reading "DDOS Madness Continued..." »

FE Malware Researcher on 2009.07.11 in Botnet Activities / Outbreaks | | Comments (1) | TrackBack (0)

2009.07.07

Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?

As most readers will already know, a new 0-day vulnerability in MS Video ActiveX Control is currently being exploited in the wild.  Lots of research material has already been published covering different aspects of this vulnerability and the attack vector.  I have nothing more to add on this front.  I would rather focus on explaining the details of the malware behind the scenes.

Continue reading "Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?" »

FE Malware Researcher on 2009.07.07 in Botnet Activities / Outbreaks | | Comments (2) | TrackBack (0)

2009.07.01

Web2SMS Gateways, A Wide Open Target

The number of mobile payment users worldwide will total 73.4 million in 2009, up 70.4 percent from 2008 when there were 43.1 million users.

                                                                                                   Gartner, Inc.

Keeping in mind the above stats, it's pretty clear that these millions of mobile payment user's are an ideal target for mobile spam. Spam emails have already polluted the Internet experience for millions of PC users.  Here by mobile spam I don't mean the smaller number of cellular phones connected to the Internet using expensive GPRS or 3G networks receiving email messages (including spam) just like a normal PC via POP3, HTTP or IMAP etc. Instead I am talking about the millions of those cellular phones which are capable of receiving/sending simple text messages using Short Message Service communication (SMS). How can these spammers send spam to these millions of mobile users?

Continue reading "Web2SMS Gateways, A Wide Open Target" »

FE Malware Researcher on 2009.07.01 in Botnet Activities / Outbreaks | | Comments (1) | TrackBack (0)