Adobe Flash drive-by attacks redux

In a progress report posted to the official Adobe PSIRT blog, David Lenoe stops short of making definitive statements on the actual vulnerability, using phrases like "appears to be" and "should not be vulnerable" but it's clear that Adobe believes these attacks are tied to an issue that was patched with Flash Player 9.0.124.0.

From Lenoe's update:

The exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. We’re still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.

 [ SEE: Adobe Flash zero-day exploit in the wild ]

While Lenoe hedges his bets, several researchers have reversed the malware executable to trace the attacks to hackers stealing World of Warcraft passwords.

First up is Dino Dai Zovi's walkthrough:

1. The flash.swf file exploits an unpatched vulnerability in Flash.  (Note: This differs from Adobe's latest statement)
2. The exploit payload uses familiar techniques to lookup API functions by a 32-bit hash value, and uses URLMON.DLL to download an executable to C:\6123t.exe and runs it.
3. The downloaded executable disables Kaspersky Anti-Virus (what, they don’t have any others in China?) extracts a UPX-packed DLL (Ow.dll) from its resources segment and loads it as a keyboard hook DLL.
4. The keyboard hook targets World Of Warcraft and uploads captured information to the attacker’s server disguised as HTTP requests.

My Zero Day blogging colleague Dancho Danchev does a deep-dive analysis of the attacks, which are using SQL injection to plant executables on thousands of compromised Web sites.

The current malware attack has been traced back to Chinese blackhats, who are using a zero day to infect users with password stealers, moreover, one of the domains serving the Adobe zero day has been sharing the same IP with four of the malware domains in the recent waves of massive SQL injection attacks, indicating this incident and the previous ones are connected.

The volunteers at Shadowserver.org have posted a list of the domains and IPs involved in the attacks.

PROTECTION AND MITIGATION:

Whether this is a zero-day issue or not  -- I suspect it's a modification/variation of Mark Dowd's groundbreaking null pointer dereference exploit (.pdf) -- there are some important steps that every Windows user (Flash is a monoculture after all!) should take to limit the damage:

1. Patch your Flash installation.  Adobe provides this page to help determine your Flash version. Make sure you're running Flash Player 9.0.124.0.
2. Disable JavaScript entirely or use the NoScript on Firefox.
3. Block outgoing access to the list of IP addresses published by Shadowserver.org.
4. Enable DEP (Data Execution Prevention) on Windows systems.
5. As a temporary measure, set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000. (Note: This will affect sites that are heavy on Flash content. Errata Security provides an AxBan tool to automate this process.
6. Ensure anti-virus software is updated with the latest signatures.
7. Avoid browsing to suspicious sites or strange links that arrive via e-mail or IM messages.
8. Browse the Web with low-rights accounts wherever possible.