Last week, Adobe released an update (APSB11-18) for Adobe Flash Player, fixing a memory corruption vulnerability (CVE-2011-2110) that would allow attackers to take control of the targeted system. In the Advisory, Adobe mentioned reports of active exploitation. We have been tracking the use of this exploit through our signatures (originally as Exploit:SWF/ShellCode.A, and then later as Exploit:SWF/CVE-2011-2110.A) released to Microsoft Security Essentials and Forefront customers for a number of days now and saw significant increases in exploit activity over the weekend. An interesting facet of the use of this exploit is that most of the targets are in Korea. We saw a peak of activity on Sunday, with this exploit attempt being reported by 17,813 computers, 14,890 of them in Korea.

CVE-2011-2110 chart
We've seen a focus on Korea in the early history of other 0-day exploits and attack techniques:

  • CVE-2010-3962, which we dubbed the Weekend Warrior for its weekend-based attacks focused on Korea
  • SWF/Jaswi.A, another exploit method using Flash
  • CVE-2010-3972, an Internet Explorer 0-day
  • CVE-2011-0611, another Flash 0-day hit Korea with over 5,000 attack attempts the day after the update was released on April 15

Seeing Korea show up in these types of attacks is starting to become commonplace.

The attacks on CVE-2011-2110 have been using a fairly standard pattern. Most of them are some variation of this exploit in a file called main.swf. Even the SHA1s are fairly consistent. Here are our top hits, which represent about 96% of all of the exploit attempts we've seen:

SHA1 of Attack Attempts:
77A5EA9473E48771FD1F2931D00575159A902AE0 - 24%
5D05BF2E9AB3905240DD6A3B0009CEFAEC134058 - 20%
33DB18D2E74792F2AD9F4CD817D772C9BC73C86C - 16%
EB08317AF86F44C3C3BE159E63321B2CDC9E9E6F - 12%
44E46CF75360090C9A78164880A7BF392E00CC89 - 8%
989646B68323DAAFF95966B7DF982E54F8EF203F - 6%
46E9CE2092EFD73B557C081A9C5DADFE1434E090 - 6%
EB1A594D178B8BCBC873087F784E715CE9BA6121 - 3%

In any case, stay safe, employ endpoint protection, and apply the update if you haven't already!

-Holly Stewart, MMPC