Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits.
Here’s a screenshot of one such e-mail, provided by Contagio:
The related XLS samples have these hashes:
4bb64c1da2f73da11f331a96d55d63e2
4031049fe402e8ba587583c08a25221a
d8aefd8e3c96a56123cd5f07192b7369
7ca4ab177f480503653702b33366111f
We detect them as Exploit.CVE-2011-0609.A and Exploit:W32/XcelDrop.F.
Another sample we’ve seen (md5:20ee090487ce1a670c192f9ac18c9d18) is an Excel file containing an embedded Flash object that exploits a known vulnerability (CVE-2011-0609). When the XLS file is opened, it shows an empty Excel spreadsheet and starts exploit code via a Flash object.
The Flash object starts by doing a heap-spray containing the following shellcode:
This first shellcode only loads and passes execution to a second shellcode embedded in the Excel file:
The second shellcode is responsible for decrypting and executing an EXE file (also embedded in the Excel file):
In the meantime, the Flash object constructs and loads a second Flash object in runtime:
This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap. We generically detect the Flash object as Exploit.CVE-2011-0609.A.
As an aside: the main exploit appears to have been delivered in this fashion in an attempt to evade detection. As it is loaded in memory, no physical file is available for scanning by an antivirus engine. Embedding the Flash object that loads the main exploit in an Excel file may be an attempt to further disguise the attack.
Fortunately, the malicious Excel file and its embedded EXE file are detected as Exploit.D-Encrypted.Gen and Trojan.Agent.ARKJ, respectively.
Still, users should update their Flash player as Adobe has already released a patch for this particular vulnerability. For more information, please see their security advisory for CVE-2011-0609.
Threat Solutions post by — Broderick
On 23/03/11 At 02:55 AM
Related Posts
- Targeted Attack Using Journalists as a Lure
We found a new malicious XLS file which contains lots of names, details and contact information for journalists around the world:This file was e-mailed to unknown persons, apparently in order ... - One more Adobe 0-day vulnerability using Office files
Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsof... - LizaMoon the Latest SQL-Injection Attack
Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At the same time, we want to avoid laying on the F... - More on the “massive” SQL injection attack
Alas, the news was published on April 1st. But it is not a joke.
Curious, I spent a bit of time today researching it (when I really was supposed to be doing other things), and while the “lizamoon” ... - LizaMoon, Etc. SQL Injection Attack Still Ongoing
We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certa... - Italian model exposed in Facebook clickjacking attack
The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be ... - Are you using the right “System Tool”?
Recently, we have been seeing a lot of the Winwebsec rogue branded as "System Tool". Winwebsec authors have been using this brand since last year, but lately these have been seen using more aggressiv... - A Technical Analysis on the CVE-2011-0609 Adobe Flash Player Vulnerability
On March 14, Adobe released a security advisory (APSA11-01) warning of 0-day attacks affecting Adobe Flash Player (versions earlier than and including 10.2.152.33). These attacks were hidden inside Mi... - Using Twitter for Public Relations During a Data Breach Incident
Data breaches happen to organizations of all shapes and sizes. A critical aspect of such security incidents is the manner in which the company handles public relations (PR), keeping affected customer... - Phishing Attack Uses Fake Donation Website
Earlier today, we found a phishing site that poses as a donation site to raise money for the victims of the recent earthquake in Japan. The phishing site http://www.japan{BLOCKED}.com is created by us...
