Flash 0Day Found in Drive-By
The recently announced Adobe Flash 0day exploit (CVE-2011-0611) has been found in the wild as a drive-by download. The exploit targets Adobe Flash Player version 10.2.153.1 and works quite reliably.
The bottom portion of the script is dedicated to the shellcode.
After dumping the shellcode, you can see the URL at the end which installs the malware.
The resulting malware that gets installed on the unsuspecting victim’s PC looks to be some kind of game stealer and is detected by 18 of 42 anti-virus engines (42.9% coverage).
There were clues in the exploit code, tool marks if you will, that helped me find what I think is the exploit generator program. It’s in Chinese. After you enter your login credentials, you get this screen where you enter the URL of your malware.
I found yet another tool made by the same folks that appears to have made the Flash exploit tool. They share the same skin but this tool uses a different exploit to deliver malware.
I’ll try to get more information and post it here.