Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 24 July 2009

Part 2: Who is exploiting the Adobe Flash 0day

Part 2: Who is exploiting the Adobe Flash 0day

The new Flash 0-day has opened multiple avenues for malware authors. In my last article I showed how this vulnerability is being exploited via the PDF reader's support for SWF files. However, this vulnerability can just as easily be exploited in a standard drive-by fashion purely in Flash as well. This is precisely what has started to happen.

Here is the snippet of the javascript which is actively targeting this 0-day vulnerability.

This exploit successfully worked on my VM under Firefox 3.5.1 and Flash player 10. It worked smoothly and just before FireFox crashed, I saw an outbound communication like this:

GET /images/x/xor.gif HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sorla.us
Connection: Keep-Alive


Read more
http://blog.fireeye.com/research/2009/07/who-is-exploiting-the-adobe-flash-0day-part-2.html

No comments: