Adobe Flash 0-day exploit
SonicWALL UTM Research team found reports of new 0-day vulnerability (CVE-2009-1862) in Adobe Flash player v9 and v10 being exploited in the wild via malicious drive-by sites.
The exploit is being actively served in the wild via following URL that is found to be injected into pages of infected websites:
The above page will only load with a valid referrer field containing the URL of one of the infected pages. The active server page contains script to identify user's browser environment and based on that loads one of the following pages:
- If browser is not Internet Explorer, iframe URL- sorla.us/(REMOVED)x/ff.html
- If browser is Internet explorer and has flash ActiveX installed, iframe URL- sorla.us/(REMOVED)x/ie.html
- if browser is Internet Explorer and script cannot create a valid flash ActiveX object, iframe URL- sorla.us/(REMOVED)x/mpg.html
The code snippet can be seen below:
- sorla.us/(REMOVED)x/xp.swf [Detected as GAV: Pidief_2 (Exploit)]
It also downloads XORed Backdoor Trojan executable file from following URL:
- sorla.us/(REMOVED)x/xor.gif [Detected as GAV: Agent.ROX (Trojan)]
Screenshot of 0-day exploit in action causing the flash player object and browser to crash can be seen below:
The code snippet for AntiVirus presence detection can be seen below:
SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Pidief (Exploit), GAV: Pidief_2 (Exploit), GAV: Pidief_3 (Exploit) and GAV: Agent.ROX (Trojan) signatures.