CVE-2011-2140 Caught in the Wild
A Chinese website contains malvertisement that leads to a few exploits including the latest Flash exploit (CVE-2011-2140). Special thanks to Jason for the find and share!
Here’s the website that kicks things off:
This is the infection chain:
It’s quite long but the action starts at the “1.htm” file. The script loads up the appropriate iframe depending on your Flash or browser version.
One path leads to an IE browser exploit:
It calls up pieces of the IEPeers exploit code found in separate Javascript files before calling it. Here are the first two pieces. You can see the variable name is appropriately called “booom”.
Shellcode contains a download and execute URL but you need to XOR it with the key of 0xBD first.
That file is a downloader which pulls down another executable from the same website. The second binary looks to be some kind of online game stealer.
File: zxx.exeMD5: 1bfd57d5fa7c26e56a5c89bc668db121VirusTotal: 21/42 (50.0%)File: shenma.exeMD5: 1391776c2ddcbb9eea7fdd3d85a6e0a9VirusTotal: 29/41 (70.7%)Let’s check out the first of two Flash exploits:
The shellcode there pulls down the same binary from the URL as above. Here’s what VirusTotal has to say about the SWF file.
File: nb.swfMD5: f0e59dcbe6730a4383a88ab057a58c5cVirusTotal: 4/42 (9.5%)The second Flash exploit is called upon as the last option (see “1.htm” file above under the “luck3()” function). The decompiled code looks like this:
It takes the contents of variables “_local6” and “_local7” then writes it to a binary file. That binary file is another SWF file. The decompiled code shows that it plays a file called “e.avi” after staging memory.
Here’s a hex view of that file.
I tried dumping the contents of the atoms using AtomicParsley, QTatomizer, and a couple of other tools but it’s not working.
Anyone got a good tool to decompile a Quicktime file? In the meantime, I’m going to try to look for the shellcode and carve it out since this presumably exploits Flash using the CVE-2011-2140 exploit and downloads another binary file called “qq.exe” which is an online game stealer.
Here’s the VirusTotal scan results for these files:
File: nbwm.swfMD5: e4b2c3d3cca93350accaf89af8d497aaVirusTotal: 5/42 (11.9%)File: e.aviMD5: ba9b2a0e81e6a0f6e3fa64c867fd0be6VirusTotal: 17/42 (40.5%)File: qq.exeMD5: 82c99d83b4d66babb1420b2c6297f4ccVirusTotal: 20/42 (47.6%)