Select Page

Symantec just revised their thinking, believing it may not be a zero-day threat.    

The DeepSight ThreatCon currently at Level 2 in response to the discovery of in-the-wild exploitation of a vulnerability affecting Adobe Flash Player. The flaw occurs when processing a malicious SWF file.

Originally it was believed that this issue was unpatched and unknown, but further technical analysis has revealed that it is very similar to the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM. However, we are working with Adobe to identify the precise details, because we have observed the malicious files affecting patched versions of Flash, suggesting that it may be a variant or may have been incorrectly patched.

We have begun to observe numerous attacks. The original attacks observed involve two Chinese sites known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. Further analysis into these attacks, specifically the woai117.cn attack, uncovered another domain involved: dota11.cn. We have discovered that this site is being actively injected into sites through what is likely SQL-injection vulnerabilities.

A Google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site. Other reports are suggesting upwards of 250,000 affected pages. A new attack, involving the play0nlnie.com domain, was recently reported. This attack works slightly differently and appears to be more sophisticated. The attack uses multiple layers of SWF redirection and generates URLs designed to target specific Flash version and browser combinations, supporting both Internet Explorer and Firefox. Symantec currently detects the SWF files as Downloader.Swif.C and the malware associated with these attacks as Infostealer.Gamepass and Trojan, respectively. Network administrators are also advised to blacklist the offending domains to prevent clients from inadvertently being redirected to them.

The following actions are also advised: Avoid browsing to untrustworthy sites. Consider disabling or uninstalling Flash until patches are available. Deploy script-blocking mechanisms, such as NoScript for Firefox, to explicitly prevent SWFs from loading on all but explicitly trusted sites. Temporarily set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000 until patches availability is confirmed. This vulnerability is currently being tracked as: Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability (http://www.securityfocus.com/bid/29386)

Alex Eckelbery
(Thanks, Matt)