Who is Exploiting the Adobe Flash 0-day? – Part 2

The new Flash 0-day has opened multiple avenues for malware authors. In my last article I showed how this vulnerability is being exploited via the PDF reader's support for SWF files.  However, this vulnerability can just as easily be exploited in a standard drive-by fashion purely in Flash as well.  This is precisely what has started to happen.

Here is the snippet of the javascript which is actively targeting this 0-day vulnerability.


Continue reading »

Who is Exploiting the Adobe Flash 0-day?

It looks like Zero-day discoveries for the month of July are not quite over yet. I have already talked about two vulnerabilities inside MS products earlier this month:

July 7th 2009:   Who is Exploiting the Windows 0-day (MSVIDCTL.DLL) ?
July 14th 2009: Who is Exploiting the Office Web Components 0-day?

Then came the 3rd one inside Mozilla FireFox 3.5, almost at the exact same time.  Sadly enough, this article is about another 0-day (fourth in a row) which has recently been discovered in the Adobe Flash player.  As of today, this vulnerability is unpatched and is currently being exploited in the wild. To make it even worse, this vulnerability may also be exploited via 'Adobe PDF Reader' by misusing its support for the SWF component.  According to Adobe, 'Adobe Reader' , 'Acrobat 9.1.2', and 'Adobe Flash Player 9 and 10' are vulnerable to this attack.

Who is trying to exploit this vulnerability?  To find this answer I ran one of the malicious pdf files (09a0f7aae0e22b5d80c7950890f3f738) inside my sandnet, running the Adobe Reader 9.1. As expected, in a few seconds I observed Adobe Reader crash after creating and executing a new file, SUCHOST.EXE (96cb88dfc54f765c30d44ba60117fa72).

Continue reading »

Heap Spraying with Actionscript

Why turning off Javascript won’t help this time


As you may have heard, there’s a new Adobe PDF-or-Flash-or-something 0-day in the
wild. So this is a quick note about how it’s implemented, but this
blog post is not going to cover any details about the exploit itself

Background Summary

Most of the Acrobat exploits over the last several months use the, now
common, heap spraying
, implemented in
Javascript/ECMAscript, a
Turing complete
language that Adobe thought would
go well with static documents. (Cause that went so well
for Postscript)
(Ironically, PDF has now come full circle back
to having the features of Postscript that it was
trying to get away from
The exploit could be made far far less reliable, by
disabling Javascript in
your Adobe Acrobat Reader

But apparently there’s no easy way to disable Flash through the UI.
US-CERT recommends renaming the
%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll and
%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll
files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]

Anyway, here’s why… Flash has it’s own version of ECMAScript called
Actionscript, and whoever wrote this new 0-day, finally did something new by
implementing the heap-spray routine with Actionscript inside of Flash.

Continue reading »

Bad Actors Part 7 – 3fn (Or: Cutwail – How to do it right)

“Wait … *beep beep* back up for a
second, Alex.  I heard 3fn was brought down
by the FTC!” 

That would be correct!  On June 4th the FTC served a
takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert,
APX Telecom, APS Communications) off the Internet.  I was approached by law enforcement looking
for evidence of malicious activities, and luckily, I was in the midst of
writing up an article for my Bad Actors blog series.  I decided to wait until a little time had
passed before publishing details as not to tip off 3fn and possibly ruin an
investigation.  (Note that the investigatory
group that approached me was at the federal level, but was not the FTC)

Below you’ll find my analysis of their
IP blocks and a large amount of data about the Bad Actors whom they supported.  Most of the links below are completely Not
Safe For Work, possibly malicious, and frankly, many of them are disgusting in name as well as content.  It’s not advised that you actually visit any of them.  I also have more content that I didn't post, and if you're interested in it, feel free to drop me a line.

Continue reading »

Who is Exploiting the Office Web Components 0-day?

Just a day before Patch Tuesday, when Microsoft is going to release couple of patches for DirectShow vulnerabilities including MSVIDCTRL 0-day , IE (Internet Explorer) users are hit by another surprise. A new 0-day vulnerability has been identified in MS office web component and is currently being exploited via the IE scripting interface. There is no patch available at the moment but MS has come up with a workaround.

One of the malicious URL which has been found to exploit this vulnerability is hxxp://www.fdsdffdfsf.cn/of.htm.

Continue reading »

DDOS Madness Continued…

The DDOS attacks which started around July 4th 2009 and paralyzed some important US and South Korean web sites have come to an end, but the madness behind these attacks is not quite finished yet.

The MYDOOM variant (msiexec1.exe: 0f394734c65d44915060b36a0b1a972d) which initially downloaded a DDOS component has recently been seen to download another component (wversion.exe: f5c6b935e47b6a8da4c5337f8dc84f76) whose sole purpose is to permanently damage the infected systems hard drives. This hard drive killer component acts like a time bomb which will start triggering from July 10th onwards. Sadly it means that today, on July 11th, all those infected pcs which were up and running yesterday are already damaged.

Continue reading »

Web2SMS Gateways, A Wide Open Target

The number of mobile payment users worldwide will total 73.4 million in 2009, up 70.4 percent from 2008 when there were 43.1 million users.

                                                                                                   Gartner, Inc.

Keeping in mind the above stats, it's pretty clear that these millions of mobile payment user's are an ideal target for mobile spam. Spam emails have already polluted the Internet experience for millions of PC users.  Here by mobile spam I don't mean the smaller number of cellular phones connected to the Internet using expensive GPRS or 3G networks receiving email messages (including spam) just like a normal PC via POP3, HTTP or IMAP etc. Instead I am talking about the millions of those cellular phones which are capable of receiving/sending simple text messages using Short Message Service communication (SMS). How can these spammers send spam to these millions of mobile users?

Continue reading »