The recent Adobe Flash 0 Day (CVE-2011-2110) is a classic case of an old malware that has used new 0 days as a vector to spread itself. How and why I will explain shortly, first a little detail about the exploit itself. The exploit is targeting a vulnerability in the Action Script Virtual machine according to our good friends at Shadowserver. The swf file takes an info parameter and a successful exploitation leads to the download of a zlib compressed and xor encoded binary. The two GET requests in succession would look like this
The two GET requests from the image above that we are most interested in are
The log.txt file itself is xor'ed and zlib compressed. Upon decoding and decompressing we ended up with a malware with an Md5 sum of 818f1574e5e8a1a728888cb76931e865. VT reports indicate that this particular sample is being detected by 19/42 AV's.
Now about the malware itself. This malware is an old malware that has used new 0 days to spread in the past. In Novemeber 2010 Atif wrote a blog about how there was a malware called Backdoor.Pirpi using CVE-2010-3962 to spread. You can find that blog article here and there is a detailed analysis about Backdoor.Pirpi itself. If we look at the network communication of this new malware that is using CVE-2011-2110 you can see that it generates network communication very similar to the malware that was mentioned in the previous article.
Looks like Pirpi is here to stay and it would be interesting to see if this malware uses any other 0 days in the future to propagte itself. If it does then it would certainly indicate that the gang that is behind finding these 0 days vulnerabilities is also responsible for distributing this malware.
As an end note we have identified a few more domains (not mentioned in the shadow server article) serving this malware and would agree with MSFT's claim that the majority of the targets are in Korea.
Here are a list of newly identified domains.