HackDig : Dig high-quality web security articles for hackers

Adobe Exploit Running Wild

2014-08-15 09:18

The ThreatTrack Security Labs spotted a new exploit in the wild going after a known Adobe vulnerability.

The vulnerability, CVE-2014-0502, can be exploited to wreak havoc on Windows, Mac, Linux and Android systems, and it is still being used to infect machines nearly a month after it was identified and posted to the National Institute of Standards and Technology (NIST) National Vulnerability Database.

NIST describes the vulnerability as:

“Double free vulnerability in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 on Android, Adobe AIR SDK before 4.0.0.1628, and Adobe AIR SDK & Compiler before 4.0.0.1628 allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2014.”

Our team was alerted to the threat today, when VIPRE heuristics detected the file cc.swf delivered via the malicious link hxxp://java-sky.com/swf/cc.swf. At the time of this posting, only 3 / 51 antivirus vendors on VirusTotal detect the exploit.

Upon execution, the exploit retrieves a payload from hxxp://java-sky.com/d.exe, which we submitted to ThreatAnalyzer for dynamic malware analysis to reveal sleep calls, code injection, registry changes and the following malicious activity:

File Activity/Stored Created File

File: C:Documents and SettingstauserLocal SettingsTemporary Internet FilesContent.IE5K0WCK5NFflash[1].htm
File: C:Documents and SettingstauserApplication Datamydesktop.ini
File: C:WINDOWScusse.exe

File Activity/Stored Modified File

File: C:WINDOWSsystem32wbemLogswbemess.log
File: C:WINDOWSsystem32wbemLogswbemess.log

Registry Activity/Set Value

Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftWindowsCurrentVersionExplorerShell
Folders
Data: AppData
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftWindowsCurrentVersionExplorerShell
Folders
Data: Cache
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftWindowsCurrentVersionExplorerShell
Folders
Data: Cookies
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftWindowsCurrentVersionExplorerShell
Folders
Data: History
Key Name: REGISTRYMACHINESOFTWAREMicrosoftCryptographyRNG
Data: Seed
Key Name: REGISTRYMACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
Data: Common AppData
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftwindowsCurrentVersionInternet Settings
Data: MigrateProxy
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftwindowsCurrentVersionInternet Settings
Data: ProxyEnable
Key Name: REGISTRYMACHINESYSTEMControlSet001Hardware Profiles001SoftwareMicrosoftwindowsCurrentVersionInternet Settings
Data: ProxyEnable
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftwindowsCurrentVersionInternet
SettingsConnections
Data: SavedLegacySettings
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftwindowsCurrentVersionInternet
SettingsConnections
Data: DefaultConnectionSettings
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftWindowsCurrentVersionInternet
SettingsZoneMap
Data: ProxyBypass
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftWindowsCurrentVersionInternet
SettingsZoneMap
Data: IntranetName
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftWindowsCurrentVersionInternet
SettingsZoneMap
Data: UNCAsIntranet
Key Name: REGISTRYUSERS-1-5-21-57989841-1547161642-1417001333-1004SoftwareMicrosoftWindowsCurrentVersionInternet
SettingsZoneMap
Data: AutoDetect
Key Name: REGISTRYMACHINESYSTEMControlSet001ServicesEventlogApplicationMicrosoft H.323 Telephony Service Provider
Data: EventMessageFile
Key Name: REGISTRYMACHINESYSTEMControlSet001ServicesEventlogApplicationMicrosoft H.323 Telephony Service Provider
Data: TypesSupported
Key Name: REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
Data: cusse
Key Name: REGISTRYMACHINESOFTWAREMicrosoftCryptographyRNG
Data: Seed
Key Name: REGISTRYMACHINESOFTWAREMicrosoftCryptographyRNG
Data: Seed

Network Activity/DNS Activity

Requested: winxp32sp3, Result: 172.16.2.80
Requested: winxp32sp3, Result: NONE
Requested: www.3dvideo.ru, Result: NONE
Requested: 212.42.42.100, Result: nbvh100.ropnet.ru
Requested: hk.msfcli.epac.to, Result: 115.23.172.151

Mutex Activity/Create Mutex

Mutex Name: BaseNamedObjectsLocalc:!documents and settings!tauser!local settings!temporary internet files!content.ie5!
Mutex Name: BaseNamedObjectsLocalc:!documents and settings!tauser!cookies!
Mutex Name: BaseNamedObjectsLocalc:!documents and settings!tauser!local settings!history!history.ie5!
Mutex Name: BaseNamedObjectsLocalWininetConnectionMutex
Mutex Name: BaseNamedObjectsRasPbFile
Mutex Name: BaseNamedObjectsLocalZonesCounterMutex
Mutex Name: BaseNamedObjectsLocalZonesCacheCounterMutex
Mutex Name: BaseNamedObjectsLocalZonesLockedCacheCounterMutex
Mutex Name: BaseNamedObjectsLocalZoneAttributeCacheCounterMutex
Mutex Name: BaseNamedObjects)!eThddt4
Mutex Name: BaseNamedObjectsMSPMutex
Mutex Name: BaseNamedObjectsRAS_MO_02
Mutex Name: BaseNamedObjectsGlobalRAS_MO_01
Mutex Name: BaseNamedObjects)!eThddt4
Mutex Name: BaseNamedObjects)!eThddt4
Mutex Name: BaseNamedObjectsLocalZonesCounterMutex
Mutex Name: BaseNamedObjectsLocalZonesCacheCounterMutex
Mutex Name: BaseNamedObjectsLocalZonesLockedCacheCounterMutex
Mutex Name: BaseNamedObjects)!eThddt4
Mutex Name: BaseNamedObjectsLocalZonesCounterMutex
Mutex Name: BaseNamedObjectsLocalZonesCacheCounterMutex
Mutex Name: BaseNamedObjectsLocalZonesLockedCacheCounterMutex
Mutex Name: BaseNamedObjects)!eThddt4

Only 7 / 51 antivirus vendors on VirusTotal detect the malicious payload at the time of this post.

Defend Yourself

Keep your machines patched. Adobe patches for this vulnerability have been available since Feb. 20, 2014. If you’re looking for automated patching, learn more about VIPRE Business Premium, the small-footprint antivirus with integrated patch management.  

 

The post Adobe Exploit Running Wild appeared first on ThreatTrack Security Labs Blog.


Source: /EvMNkGI3YLY/3~/ytiruceskcarttaerht/r~/moc.elgoog.yxorpdeef

“Adobe Exploit Running Wild”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud