CVE-2012-1535: Adobe Flash being exploited in the wild

August 15, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Yesterday Adobe issued a security update to address CVE-2012-1535 that was being exploited in the wild.

The sample that we analyzed is a Microsoft Office Word document with an embedded malicious Flash file.

The name of the malicious doc file is iPhone 5 Battery.doc, md5: 7e3770351aed43fd6c5cab8e06dc0300

The doc file contains an uncompressed flash file at offset 13832. The file contains the code to do the heap spraying.

The shellcode uses a XOR loader to decrypt and execute the embedded payload encrypted using a 256-byte XOR key within the DOC file.

We can easily extract the payload using our findexec.py script.

$python findexec.py  “iPhone 5 Battery.doc” OFFICE

Analyzing Office file

One Byte distributionAverage 1166

Detected possible cyphered data on position 67584 of length 135168

Best Val num ocurrences 256

Guessed key length 256

Calculating calculateOccurencesBySize

Done

GetVolumeInformationA?GetWindowsDirectoryA?GetSystemDirectoryA.CloseHandleiGetLastErrorHLoadLibraryA?Process32Next?Process32FirstlCreateToolhelp32Snapshot?ExitProcess?GetVersi

Key found c4c5c6c7d8d9dadbdcdddedfd0d1d2d3d4d5d6d728292a2b2c2d2e2f202122232425262738393a3b3c3d3e3f3031

32333435363708090a0b0c0d0e0f000102030405060718191a1b1c1d1e1f101112131415161768696a6b6c6d6e6f6

06162636465666778797a7b7c7d7e7f707172737475767748494a4b4c4d4e4f404142434445464758595a5b5c5d5e

5f5051525354555657a8a9aaabacadaeafa0a1a2a3a4a5a6a7b8b9babbbcbdbebfb0b1b2b3b4b5b6b788898a8b8c8d

8e8f808182838485868798999a9b9c9d9e9f9091929394959697e8e9eaebecedeeefe0e1e2e3e4e5e6e7f8f9fafbfcf

dfefff0f1f2f3f4f5f6f7c8c9cacbcccdcecfc0c1c2c3

Found

Found executable at offset 3264

File saved on 1345068027.exe

Found executable at offset 27936

File saved on 1345068028.exe

Once the document is open and the vulnerability is exploited, the shellcode opens a benign doc file with the following content:

Once the payload is executed, the following dll is dropped on the system:

C:\Documents and Settings\Administrator\Application Data\taskman.dll

md5: fe7e03f7f62f2d65c5b8e233300a373c

And executed using rundll32:

rundll32.exe C:\Documents and Settings\Administrator\Application Data\taskman.dll start

This backdoor is know as c0d0so0 and also Backdoor.Briba and it has been seen in other targeted attacks exploiting  CVE-2012-0779 among others during the past few months.

The backdoor contacts the remote sever publicnews.mooo.com using a HTTP POST request:

It also tries to download the following file:

publicnews.mooo.com points to:

unassigned.psychz.net (108.171.240.86)

108.171.240.0 - 108.171.255.255

Psychz Networks PSYCHZ-NETWORKS (NET-108-171-240-0-1) 108.171.240.0 - 108.171.255.255

The server is not responding anymore but based on the VirusTotal report it seems the logo.gif is a zip file that contains an executable that is dropped on the system:

C:\Documents and Settings\<USER>\Application Data\TASKMAN_16vtn.exe

The executable drops another DLL that is called using rundll32:

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe” /c rundll32.exe “C:\Documents and Settings\All Users\Application Data\XpsFilter.dll” (successful)

That process performs HTTP POST requests to the following url:

hxxp://publicupdate[.]mooo[.]com / index000000001.asp

That resolves to:

n122z183l230.bb122100.ctm.net (122.100.183.230)

122.100.128.0 - 122.100.255.255

CTM

Anita Che

CTM

P.O.Box 868

+853 891-3880

+853 891-3111

[email protected]

Rua de Lagos, Telecentro

P.O. Box 868

Taipa

Macau

The use of Dynamic DNS providers like DynDNS.org , 3322.net.. is very common in this kind of threats. You should be monitoring the requests to dynamic dns providers in your network, you can use the following snort rule to detect hosts contacting mooo.com subdomains:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:“ET INFO DYNAMIC_DNS Query to mooo.com Domain *.mooo.com”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10; offset:2; content:”|04|mooo|03|com|00|”; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:1111111113; rev:6;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“INFO DYNAMIC_DNS HTTP Request to a *.mooo.com Domain”; flow:established,to_server; content:”.mooo.com|0D 0A|”; http_header; classtype:bad-unknown; sid:1111111112; rev:3;)

The following rule is also useful to detect the presence of Backdoor.Briba:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“TROJAN Backdoor.Briba Checkin”; flow:to_server,established; content:“POST”; nocase; http_method; content:“loginmid=”; http_client_body; content:“nickid=”; http_client_body; classtype:trojan-activity; sid:1111111114; rev:1;)

And of course, remember to patch your systems!

Update:

We have found another sample of  Backdoor.Briba related with the same campaign. This sample connects to the C&C publicdocs.mooo.com. In this case the server is running. The sample downloads the file hxxp://publicdocs[.]mooo[.]com / docs / help.gif

The file contains a GIF header followed by a password protected zip file. It is easy to extract the password from the original sample (password123).

It drops and executes XpsFilter.dll that we previously mentioned. This file has a low Antivirus detection rate:

https://www.virustotal.com/file/4a03c174c247a86501889baca416811fd794fa4cef501121ba0be8bc78964d4d/analysis/

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL