Adobe Flash 0-day exploit (July 22, 2009)

By

SonicWALL UTM Research team found reports of new 0-day vulnerability (CVE-2009-1862) in Adobe Flash player v9 and v10 being exploited in the wild via malicious drive-by sites.

The exploit is being actively served in the wild via following URL that is found to be injected into pages of infected websites:

  • sorla.us/(REMOVED)x/mail.asp

The above page will only load with a valid referrer field containing the URL of one of the infected pages. The active server page contains script to identify user’s browser environment and based on that loads one of the following pages:

  • If browser is not Internet Explorer, iframe URL- sorla.us/(REMOVED)x/ff.html
  • If browser is Internet explorer and has flash ActiveX installed, iframe URL- sorla.us/(REMOVED)x/ie.html
  • if browser is Internet Explorer and script cannot create a valid flash ActiveX object, iframe URL- sorla.us/(REMOVED)x/mpg.html

The code snippet can be seen below:

screenshot

In the first two cases, ff.html and ie.html contains JavaScript to download and run malicious Shockwave flash file that exploits 0-day vulnerability in Adobe Flash player:

  • sorla.us/(REMOVED)x/xp.swf [Detected as GAV: Pidief_2 (Exploit)]

It also downloads XORed Backdoor Trojan executable file from following URL:

  • sorla.us/(REMOVED)x/xor.gif [Detected as GAV: Agent.ROX (Trojan)]

Screenshot of 0-day exploit in action causing the flash player object and browser to crash can be seen below:

screenshot

In the third case, mpg.html page contains JavaScript that further checks for the presence of specific host AntiVirus software from Kaspersky and McAfee. If the AntiVirus software is not present then it tries to exploit Microsoft DirectShow Msvidctl vulnerability.

The code snippet for AntiVirus presence detection can be seen below:

screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Pidief (Exploit), GAV: Pidief_2 (Exploit), GAV: Pidief_3 (Exploit) and GAV: Agent.ROX (Trojan) signatures.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.