A new zero-day vulnerability (CVE-2014-0502) in Adobe Flash Player is being exploited in the wild. A double free vulnerability exists in Adobe Flash Player that can be used to execute arbitrary code. The flaw allows attackers to take complete control of the system remotely.
Affected versions of Adobe Flash Player are before 11.7.700.269 and 11.8.x through 12.0.x before 22.214.171.124 on Windows and Mac systems and before 126.96.36.1991 on Linux systems.
Anatomy of the attack :
First attackers exploit server side vulnerabilities and add malicious hidden iframe in legitimate website. Then attackers convince users to visit compromised websites. Once the victim visits the site, it gets redirected to another website. In our case to giftserv.hopto.org.
Once user visits, a malicious index.php script loads, which internally checks if victim is running 32-bit or 64-bit system and which browser (IE, Mozilla, Chrome etc) is being used as shown below,
Depending on the result, it will load malicious x32/index.html for 32-bit and x64/index.html for 64-bit systems. Which inturn loads malicious Adobe Flash file cc.swf as shown in the below pictures.
For IE with CLSID “D27CDB6E-AE6D-11cf-96B8-444553540000”
Before loading index.html it loads js/jq.php and js/jp.php and tries to determine various application versions (Flash, Java etc) and presence of various security tools (Fiddler, Live HTTP Header) and various antivirus (Symantec, McAfee, Bitdefender, AVG, F-Secure, Kaspersky etc) to avoid detection.
Below picture shows flow of requests
The malicious Adobe Flash file cc.swf is Trojan containing zero-day exploit and only 10 antivirus applications out of 50 (as shown in below picture) were able to identify according to Virus Total, which is very low detection rate.
Sandbox analysis on malicious Adobe Flash can be found here.
Once cc.swf file succeeds exploiting zero-day, it downloads logo.gif image containing shell-code, which is a valid image file as we can see in below picture.
After looking into logo.gif, we found extra bytes at the end of the GIF image as shown in the below picture, which is a shell-code and it’s a nice idea to extract shell-code from a valid image which is likely to bypass most of the security applications.
Then the shell-code will download and executes the backdoor server.exe. server.exe contacts attacker at static.5ljob.net for further instructions.
According to Virus Total only 1 antivirus applications out of 50 were able to identify logo.gif embedded shell-code and 25 antivirus applications out of 50 were able to identify server.exe backdoor as shown in below pictures.
Sandbox analysis on server.exe backdoor can be found here.
Install applications/add-ons only from authors whom you trust and keep your browsers/applications up-to date to avoid this kind of attacks.
Saner helps you fix this issues by upgrading the Adobe Flash Player to a non-vulnerable version, through its easy to use interface.
Download Saner and keep your systems updated and secure.
– Veerendra GG