[nsp-sec] (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
Jose Nazario
jose at arbor.net
Tue May 27 16:22:50 EDT 2008
- Previous message: [nsp-sec] (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
- Next message: [nsp-sec] ACK 174 RE: (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
earlier SYMC said it saw these two hosts active:
"Currently two Chinese sites are known to be hosting exploits for this
flaw, wuqing17173.cn and woai117.cn. The sites appear to be exploiting the
same flaw, however are using different payloads At the moment these
domains do not appear to be resolving, however they may come back in the
future. Network administrators are advised to blacklist these domains to
prevent clients from inadvertently being redirected to them."
examination with some other folks showed that at least one of the exploits
is pulling
ht tp://www.lovedai.cn/back.css
which is an EXE:
MD5: 54939e5ffb291518a1fb0f28a92faf41
SHA1: 7b17dd7a0d9ff815d180b9982f3b247d37272aeb
File type: application/x-ms-dos-executable
File size: 26368 bytes
it's a BHO:
drops files
C:\DOCUME~1\Bob\LOCALS~1\Temp\sampleow.dll
C:\DOCUME~1\Bob\LOCALS~1\Temp\$dfgb4gh4d.bat
registry changes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00250D50-D7A2-456A-AE04-EB9ABF822FE4}
"" = Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00250D50-D7A2-456A-AE04-EB9ABF822FE4}\InProcServer32
"" = C:\DOCUME~1\Bob\LOCALS~1\Temp\sampleow.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00250D50-D7A2-456A-AE04-EB9ABF822FE4}\InProcServer32
"" = Apartment
HKEY_CURRENT_USER\Software\ComWaraisn "" =
A/V INFO:
-----------------------------------------------
SCANNER: VScanner VIRUS: No virus found.
SCANNER: AVG VIRUS: No virus found.
SCANNER: ClamAV VIRUS: No virus found.
SCANNER: BDC VIRUS: Trojan.PWS.OnLineGames.SSL
-----------------------------------------------
PE INFO:
-----------------------------------------------
SECT: CODE 6656 0x00000400 - 0x00001000
SECT: DATA 512 0x00001E00 - 0x00003000
SECT: BSS 0 0x00002000 - 0x00004000
SECT: .idata 2560 0x00002000 - 0x00005000
SECT: .reloc 512 0x00002A00 - 0x00006000
SECT: .rsrc 14848 0x00002C00 - 0x00007000
also appears to look in hive files:
C:\w1.hiv
C:\w2.hiv
--
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO, arbor networks
v: (734) 821 1427 http://asert.arbornetworks.com/
- Previous message: [nsp-sec] (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
- Next message: [nsp-sec] ACK 174 RE: (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the nsp-security
mailing list