Flash 0Day Found in Drive-By

The recently announced Adobe Flash 0day exploit (CVE-2011-0611) has been found in the wild as a drive-by download. The exploit targets Adobe Flash Player version 10.2.153.1 and works quite reliably.

Here’s a portion of Javascript code for an exploit shared with me by fellow security researcher, Ben (thanks for the share!). You can see the NOP sled being setup in the “nb1” function. (There are several versions of this and are different in nature; one is an IE Behaviors exploit and another is the flash one…still need to research.)

The bottom portion of the script is dedicated to the shellcode.

After dumping the shellcode, you can see the URL at the end which installs the malware.

Another version of the exploit code can be found on a prominent Korean news site. A hidden iframe is embedded in their webpages. The Javascript is significantly different than the one above but performs the same exploit.

A key part of this exploit code is held in a separate Javascript file. The code sets up the NOP sled.

The resulting malware that gets installed on the unsuspecting victim’s PC looks to be some kind of game stealer and is detected by 18 of 42 anti-virus engines (42.9% coverage).

There were clues in the exploit code, tool marks if you will, that helped me find what I think is the exploit generator program. It’s in Chinese. After you enter your login credentials, you get this screen where you enter the URL of your malware.

I found yet another tool made by the same folks that appears to have made the Flash exploit tool. They share the same skin but this tool uses a different exploit to deliver malware.

I’ll try to get more information and post it here.

Posted on: 04/22/2011