CVE-2011-2140 Caught in the Wild

A Chinese website contains malvertisement that leads to a few exploits including the latest Flash exploit (CVE-2011-2140). Special thanks to Jason for the find and share!

Here’s the website that kicks things off:

This is the infection chain:

It’s quite long but the action starts at the “1.htm” file. The script loads up the appropriate iframe depending on your Flash or browser version.

One path leads to an IE browser exploit:

It calls up pieces of the IEPeers exploit code found in separate Javascript files before calling it. Here are the first two pieces. You can see the variable name is appropriately called “booom”.

Shellcode contains a download and execute URL but you need to XOR it with the key of 0xBD first.

That file is a downloader which pulls down another executable from the same website. The second binary looks to be some kind of online game stealer.

File: zxx.exe
MD5: 1bfd57d5fa7c26e56a5c89bc668db121
VirusTotal: 21/42 (50.0%)

File: shenma.exe
MD5: 1391776c2ddcbb9eea7fdd3d85a6e0a9
VirusTotal: 29/41 (70.7%)

Let’s check out the first of two Flash exploits:

The shellcode there pulls down the same binary from the URL as above. Here’s what VirusTotal has to say about the SWF file.

File: nb.swf
MD5: f0e59dcbe6730a4383a88ab057a58c5c
VirusTotal: 4/42 (9.5%)

The second Flash exploit is called upon as the last option (see “1.htm” file above under the “luck3()” function). The decompiled code looks like this:

It takes the contents of variables “_local6” and “_local7” then writes it to a binary file. That binary file is another SWF file. The decompiled code shows that it plays a file called “e.avi” after staging memory.

Here’s a hex view of that file.

I tried dumping the contents of the atoms using AtomicParsley, QTatomizer, and a couple of other tools but it’s not working.

Anyone got a good tool to decompile a Quicktime file? In the meantime, I’m going to try to look for the shellcode and carve it out since this presumably exploits Flash using the CVE-2011-2140 exploit and downloads another binary file called “qq.exe” which is an online game stealer.

Here’s the VirusTotal scan results for these files:

File: nbwm.swf
MD5: e4b2c3d3cca93350accaf89af8d497aa
VirusTotal: 5/42 (11.9%)

File: e.avi
MD5: ba9b2a0e81e6a0f6e3fa64c867fd0be6
VirusTotal: 17/42 (40.5%)

File: qq.exe
MD5: 82c99d83b4d66babb1420b2c6297f4cc
VirusTotal: 20/42 (47.6%)

Posted on: 11/12/2011