​Flash zero-day flaw under attack to spread ad malware, botnet

New attacks on Flash Player may force Adobe to issue another patch just days after fixing nine flaws.
Written by Liam Tung, Contributing Writer

Cybercriminals are exploiting a newly discovered flaw in Adobe Flash Player to distribute a botnet and adware, according to security researchers.

Adobe is investigating reports that a zero-day flaw in Flash Player is being used by an exploit kit known as Angler. Following the Blackhole exploit kit's demise last year, Angler is the new "one to watch" this year, according to Cisco security researchers.

Malware researcher Kafeine discovered the attack on Flash Player yesterday in an instance of Angler that contains exploits for three Flash flaws - two old ones that Adobe has fixes for, and one new flaw that was not patched in last week's security update, which brought Flash for Mac and Windows up to version

Flash is a popular target for exploit kits because it runs in all popular browsers and on multiple operating systems. It's somewhat rare to see a zero-day exploit being used in an exploit kit, which can automatically install malware on PCs if the browser is directed towards a rigged or compromised website.

Kafeine has run a partial analysis on which systems are affected by the Flash zero-day flaw. According to the company, Flash-enabled systems that the exploit works against include: Windows XP with Internet Explorer (IE) 6 to IE8, Windows 7 with IE 8, Windows 8 with IE 10, and Windows 8 with IE 10, and the Windows8-RT-KB3008925-x86 update.

Windows 8.1 and Chrome are considered safe from the Angler instance that the researcher has analysed. However, it's just one instance of that particular exploit kit, which may be upgraded in future.

An Adobe spokeswoman told ZDNet it was aware of the report and was investigating the matter. However, the company has yet to provide official guidance.

In the absence of a patch and as a matter of caution, Kafeine recommended disabling Flash on affected systems for a few days.

The malware being distributed with the aid of the new exploit is called 'Bedep', which, according to security firm Malwarebytes, is "a distribution botnet that can load multiple payloads on the infected host". In this case, it's installing malware that tricks online ad networks such as DoubleClick into counting fraudulent ad clicks and impressions.

"Upon infection, explorer.exe (not to be confused with iexplore.exe) is injected and performs the ad fraud calls," Jérôme Segura, a security research with Malwarebytes, said.

Ad fraud processes running in the background.
Image: Malwarebytes

The free version of Malwarebytes' anti-exploit product does protect vulnerable systems from the attack, according to Kafeine.

Symantec identified the malware as 'Trojan.Swifti'. The company said on an official blog: "Symantec regards this vulnerability as critical because Adobe Flash Player is widely used and the flaw allows an attacker to effectively compromise a host, which then allows for the unauthorized installation of malware."

Read more on security

Editorial standards