Blog

Old Wine in a New Bottle

The recent Adobe Flash 0 Day (CVE-2011-2110) is a classic case of an old malware that has used new 0 days as a vector to spread itself. How and why I will explain shortly, first a little detail about the exploit itself. The exploit is targeting a vulnerability in the Action Script Virtual machine according to our good friends at Shadowserver. The swf file takes an info parameter and a successful exploitation leads to the download of a zlib compressed and xor encoded binary. The two GET requests in succession would look like this

Get_request_cve_2011_2110

The two GET requests from the image above that we are most interested in are 

Swf_request

 

Log_txt

 

The log.txt file itself is xor'ed and zlib compressed. Upon decoding and decompressing we ended up with a malware with an Md5 sum of 818f1574e5e8a1a728888cb76931e865. VT reports indicate that this particular sample is being detected by 19/42 AV's.
Now about the malware itself. This malware is an old malware that has used new 0 days to spread in the past. In Novemeber 2010 Atif wrote a blog about how there was a malware called Backdoor.Pirpi using CVE-2010-3962 to spread. You can find that blog article here and there is a detailed analysis about Backdoor.Pirpi itself. If we look at the network communication of this new malware that is using CVE-2011-2110 you can see that it generates network communication very similar to the malware that was mentioned in the previous article.

Pirpi_1

Pirpi_2

Looks like Pirpi is here to stay and it would be interesting to see if this malware uses any other 0 days in the future to propagte itself. If it does then it would certainly indicate that the gang that is behind finding these 0 days vulnerabilities is also responsible for distributing this malware.

As an end note we have identified a few more domains (not mentioned in the shadow server article) serving this malware and would agree with MSFT's claim that the majority of the targets are in Korea.

Here are a list of newly identified domains.

hxxp://www.vietnampig.com/demo/d/3FvhoA5HeUuXTyon.html

hxxp://webimg.a3box.co.kr/images/comic/out.htm

hxxp://www.tcho.co.kr/android/include/out.htm

hxxp://www.demolish.com.hk/620/fl58Q2wup7ZWZMIB.html

hxxp://img1.theappl.com/2011/00/out.htm

hxxp://bada888.com/setup.html

hxxp://www.ihear.co.kr/data/file/fnew.html