Attackers exploit latest Flash bug on large scale, says researcher

[Guest LilBambi]

Attackers exploit latest Flash bug on large scale, says researcher (Computerworld):

Hackers are aggressively exploiting a just-patched Flash vulnerability, serving attack code “on a fairly large scale” from compromised sites as well as from their own malicious domains, a security researcher said Friday. The attacks exploit the critical Flash Player bug that Adobe patched June 14 with its second “out-of-band,” or emergency update, in nine days.

I also posted it on my FransComputerServices Blog here.Might want to check your current version of Adobe Flash and make sure you have their latest version. They have put out 2 out of band updates recently, so we all need to really be sure.

[frapper]

Why is the FF plugin called "Shockwave Flash"? Was Shockwave the former owner? Also, Adobe says the latest "Shockwave Player" is 11.6 when it offers a download, but mine is 10.3.181.26 and that's what FileHippo says is the latest for "Flash Player". Confusing. Would it be better to just try disabling the stupid thing? Not sure how crippling it would prove to be.

Edited June 21, 2011 by frapper

[Guest LilBambi]

Why is the FF plugin called "Shockwave Flash"? Was Shockwave the former owner? Also, Adobe says the latest "Shockwave Player" is 11.6 when it offers a download, but mine is 10.3.181.26 and that's what FileHippo says is the latest for "Flash Player". Confusing. Would it be better to just try disabling the stupid thing? Not sure how crippling it would prove to be.

It can get confusing for sure frapper.Especially when some say one thing and some say another. In the Windows world, Flash Player and Shockwave Flash are two totally different things, maybe in all OSes.Flash Player in general is not always a Shockwave Flash Player, but a Shockwave Flash Player is always a Flash Player, or at least includes a Flash Player....if that makes any sense, and if I understand it correctly.Here's where I get this info:

What's the difference between the Flash and Shockwave Players?Flash and Shockwave Players are both free Web Players from Adobe. Together, they bring you the best rich media content on the Internet. Each has a distinct purpose. Flash Player delivers fast loading front-end Web applications, high-impact Web site user interaction, interactive online advertising, and short to medium form animation. Shockwave Player displays destination Web content such as interactive multimedia product demos and training, e-merchandising applications, and rich-media multiuser games. When you download Shockwave Player, it automatically includes Adobe Flash Player.

[Corrine]

In addition to what LilBambi found, according to http://www.adobe.com/products/shockwaveplayer/ , "Shockwave Player displays Web content that has been created by Adobe Director." I don't have Shockwave Player installed on any of my computers and haven't needed it. I gather that is because I haven't run into any content created by "Adobe Director".

[zlim]

Thanks for that Corrine. I'm going to see if I have Shockwave Player and remove it.I did the same with Java. Only one computer in the house has Java. It has saved me patching all the computers. If I run into any problems on a site, I can always fire up the Java computer and see if Java is needed.

[frapper]

Flash Player delivers fast loading front-end Web applications, high-impact Web site user interaction....

Apparently without constant patching it can also deliver a lot more!Thanks, Fran and Corrine, for the info.

[Guest LilBambi]

Glad to help!

[Corrine]

You're welcome.

Apparently without constant patching it can also deliver a lot more!

It certainly can and does.

[frapper]

Adair called the attacks "nasty" because the exploit "happens seamlessly in the background," giving victims no clue that their systems have been compromised.

So what are the symptoms, if any, of being compromised? What are the consequences? Do AV's or MBAM catch or correct these Flash attacks? Thanks.

[Guest LilBambi]

So what are the symptoms, if any, of being compromised? What are the consequences? Do AV's or MBAM catch or correct these Flash attacks? Thanks.

Remember the movie, The Matrix? The construct was where they could get everything they need?It's kinda like that ... it would depend on the cocktail they use on a given site. They can do anything they want if they find a vulnerability to deliver it...sadly. So what side affects would depend on the site and what 'hidden' cocktail is being delivered.Here's more info from ThreatPost: Attackers Exploiting Critical Flash Bug Via Drive-By Download:

The attack begins as most drive-by download attacks do, with a user visiting a malicious site with a browser running a vulnerable version of Flash. The site loads a malicious Flash file, which contains the exploit for the Flash bug and begins the exploitation chain. From there, the interesting parts kick in."The exploit samples we've seen so far use heap information leakage, so that it doesn't have to spray the heap. This is a more advanced exploit technique than we usually see but it makes the exploit more stable and won't crash the process, which can easily happen when a heap spray is used," Websense's Patrik Runald said in a blog post on the attack."Once the vulnerability is triggered, the transfer of execution from legitimate code to malicious code takes place when the stack pointer is replaced with EAX."After the attack succeeds in compromising the machine's stack, it then uses return-oriented programming (ROP) techniques in order to find a spot to execute the shellcode. That code then downloads an encrypted binary from a remote server that's decrypted on the user's machine and stored. At that point, it's game over for the user.

[frapper]

Thanks, Fran, for the detailed explanation. I really appreciate it. So, no AV nor MBAM detects these attacks?

a user visiting a malicious site with a browser running a vulnerable version of Flash.

The plugin isn't running anymore. I'll see if I can live with it that way. What a pain.

[Guest LilBambi]

Thanks, Fran, for the detailed explanation. I really appreciate it. So, no AV nor MBAM detects these attacks?The plugin isn't running anymore. I'll see if I can live with it that way. What a pain.

Your new Flash Plugin no longer working? Did you uninstall Shockwave and not reinstall Flash Player maybe?Could be that Shockwave removed Flash along with it and now you need to go install Flash separately?Don't know...What OS are you running?

[zlim]

Frapper, you do have noscript protecting you in FF. I usually have everything blocked. Even here at Scot's, my noscript icon is showing that I have some things blocked.When I go to a new site, I look to see what noscript is blocking. Then I decide if I want to enable anything or move on. I rarely enable everything at once on a new site. I might enable one item, refresh and look again.

[Guest LilBambi]

Frapper, you do have noscript protecting you in FF. I usually have everything blocked. Even here at Scot's, my noscript icon is showing that I have some things blocked.When I go to a new site, I look to see what noscript is blocking. Then I decide if I want to enable anything or move on. I rarely enable everything at once on a new site. I might enable one item, refresh and look again.

Same here Liz!

[frapper]

I have NoScript. It's just that even at some normally trustworthy sites, the hackers have planted their "things". I usually only allow things with NS only when the site won't function without it. As for the Flash plugin in FF, I just disabled it.I have google analytics and google syndication blocked here.---------Edit: Arrgh! Disabling the Flash plugin blocks not only TV news clips and feeds, but also You Tube. Too bad there isn't an addon that would let you turn it off and on with an icon on the toolbar. Flashblock might be the ticket. http://flashblock.mozdev.org/

Edited June 21, 2011 by frapper

[zlim]

I have scripts blocked on YouTube. When I go there, I enable two things so I can then see what I want.

[Tushman]

Why is the FF plugin called "Shockwave Flash"? Was Shockwave the former owner? Also, Adobe says the latest "Shockwave Player" is 11.6 when it offers a download, but mine is 10.3.181.26 and that's what FileHippo says is the latest for "Flash Player". Confusing. Would it be better to just try disabling the stupid thing? Not sure how crippling it would prove to be.

I remember back in the earlier days when the whole internet phenomenon starting becoming popular, there were several sites that used Shockwave for some simple web based games. Used to be owned by Macro Media. Over a period of time (I don't know why) Adobe Flash has become the preferred platform for such things and now you see nothing but flash based advertising content. I remember having Shockwave on Win 98 (first edition I think it was) - it was "cool" back then to be able to play some online games but these days - I have rarely ever run into a website that uses it.

[frapper]

Once more, there is no way to scan with an antivirus or anti-malware app to see if you have been penetrated by a Flash hacker?

[Guest LilBambi]

Once more, there is no way to scan with an antivirus or anti-malware app to see if you have been penetrated by a Flash hacker?

Don't know...What OS are you running?

[frapper]

Don't know...What OS are you running?

In my sig: XP Pro MCE SP3

[Tushman]

Once more, there is no way to scan with an antivirus or anti-malware app to see if you have been penetrated by a Flash hacker?

Here's my take on it. Keep in mind what I'm about to say is just one layman's opinion or understanding on this so I may be completely wrong here. There's several ways that your flash player can get "hacked". And not all of these exploits are are going to present themselves in self contained modules with signatures to match so it's unlikely your certain AV of choice is going to catch it before you become infected. It depends really. Some of these exploits come from a flash file itself - where some unwitting user gets duped into double clicking it. In this kind of circumstance, yes there is a good chance the AV will catch it time. I know that proactive A/V programs such as NOD32/Kaspersky, etc... would probably emphasis on 'probably' catch most of the malicious code behind it & stop it from running. I'm not sure about the performance of the free ones like Avast etc. I don't really make it a point to test a slew of different AV programs just for this sole purpose. As I mentioned there are other ways for your flash program to get 'hacked'. It could also happen via web site content where you get an e-mail to visit some random site. That is why Corrine in her post above made it a point NOT to click on anything that says Try this or You gotta see this! in the subject line - such bait is all too tempting to pass up for the teenager at home surfing on the net. In these cases the payload isn't always going to come from a single file. There can be malicious scripts running in the background while you're viewing the flash video content and you wouldn't even know it's running because it's running in the same process as Adobe Flash itself.Now I fully expect that Corrine and/or Goretsky will dissect that and let me know if I'm nutty or completely full of you know what! Edited June 22, 2011 by Tushman

[Guest LilBambi]

Oh, where to start...so many possibilities...Here is just one example:RSA gives insight into anatomy of attack on its systems (Virus Bulletin):

The first step taken by the hackers was to obtain publicly available information on RSA's employees; unsurprisingly, social media sites were a valuable source of information for the crooks. Using these details, specific employees were spear-phished: they were sent an email with an Excel spreadsheet attached, apparently containing the recruitment plans for 2011. This spreadsheet contained an exploit that made use of a zero-day vulnerability in Adobe's Flash Player and installed a trojan.The trojan downloaded a tool that gave the hackers remote access to the victim's computer. From there, they managed to escalate their privileges and gain access to high-value targets. They then copied password-protected RAR files via FTP to an external compromised server and, after pulling the files from this server, deleted them to remove traces.

Here's another example:Adobe Flash Vulnerability Fix (Securing WoW blog):

Adobe has released a patch for the latest Flash vulnerability. Adobe Flash is used by the majority of browsers to display dynamic content on web pages. This vulnerability can potentially lead to automatic keylogger downloads by visiting a web site that has a specially crafted flash file embedded in its pages. This is known as a 'drive-by download' - one in which malware can be downloaded and installed without you knowing.While I am yet to see this specific vulnerability exploited, it is only a matter of time before it is. I have seen previous Flash vulnerabilities exploited to download keyloggers from popular WoW fan sites.

And another example:Newest Adobe flash 0-day used in new drive-by download variation: drive-by cache, targets human rights website(Amorize Malware Blog)And another from April 2011:Drive-By Downloads Attack Adobe Zero-Day Flaw (McAfee Labs):

Adobe released a security advisory warning the users of a zero-day vulnerability in Adobe Flash Player Versions 10.2.152.33 and earlier. An exploit targeting this vulnerability was embedded inside Microsoft Excel documents and was used to deliver the malicious code to the victims. McAfee Labs performed a detailed technical analysis of the exploit and learned that the Flash Player object embedded inside the Excel document carried the malicious shellcode (shown below), which in turn loaded another Flash object to exploit the vulnerability via the classical heap-spray technique.

These type of things can be embedded in files, in websites, in email links...and Flash may not be the ONLY delivery mechanism--could be a combo, especially if on a website such as Flash and Javascripting of some kind since most web pages would need both to deliver Flash.Could be a Word, Excel, Adobe Reader PDF, could be what appears to be a Youtube Flash video on a website that never actually goes to Youtube but a place that might be a really good replica of Youtube, or worse just look like the embedded video is coming from Youtube when it's not. Could tell you you need an update to your Flash Player or Codecs and deliver the bad stuff instead.Malware delivery has become kinda like the "Construct" program in the movie, The Matrix ... where they can get everything they need and deliver it in what is often called a 'cocktail' because of all that different things it delivers in one driveby download incident.And now some anatomy of drive by downloads in general:Drive-by Downloads. The Web Under Siege(by Ryan Naraine, Security Evangelist, when he was at Kaspersky Lab )The Anatomy of a "Drive-by-Download" (by by Eric L. Howes on SpywareWarrior)Anatomy of a Drive-by-Install(BBR Forum by eburger68)You can also find much information at BenEdelman.orgBleepingComputer has a slew of articles on various types of Malware Removal procedures for what folks end up getting hit with through these drive by downloads and other methods.Back in October 2010, there appeared to be some great hope that a new software/software plugin called BLADE would really help to tip the tide on these drive-by malware cocktails.BLADE: Can it stop drive-by malware? (TechRepublic):

BLADE (BLock All Drive-by download Exploits), the brainchild of researchers from College of Computing at Georgia Institute of Technology and SRI International, is positioned to help stem the tide of drive-by malware. A big deal according to Dasient.com, the company is tracking over 200 thousand different web-based malware threats.What is drive-by malware?I’ve written about this type of malware before. But, the team’s research paper BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware infections (pdf) pointed out something I was not aware of:“The goal of the drive-by exploit is to take effective, temporary control of the client web browser for the purpose of forcing it to fetch, store, and then execute a binary application (e.g., .exe, .dll, .msi, .sys) without revealing to the human user that these actions have taken place.”The part about drive-by malware being a temporary conduit to get the desired malware loaded onto the computer was new to me. Let’s look at how the researchers believe the process works.

Much, much more in that article.BLADE Software Eliminates 'Drive-By Downloads' from Malicious Websites (ScienceDaily)Drive-by malware blocked by new BLADE software (Arstechnica)Brian Krebs had actually done an article on BLADE back in Feb 2010:BLADE: Hacking Away at Drive-By Downloads (Krebs On Security - February 22nd, 2010):

The online version of Technology Review today carries a story I wrote about a government funded research group that is preparing to release a new free tool designed to block “drive-by downloads,” attacks in which the mere act of visiting a hacked or malicious Web site results in the installation of an unwanted program, usually without the visitor’s consent or knowledge.The story delves into greater detail about the as yet unreleased software, called “BLADE,” (short for Block All Drive-By Download Exploits). That piece, which explores some of the unique approaches and limitations of this tool, is available at this link here.As I note in the story, nearly all of the sites that foist these drive-by attacks have been retrofitted with what are known as “exploit packs,” or software kits designed to probe the visitor’s browser for known security vulnerabilities. Last month, I shared with readers a peek inside the Web administration panel for the Eleonore exploit pack — one of the most popular at the moment.

You can just keep following link after link, search after search on this topic and never get to the end of it.

[frapper]

Thanks to both Fran and Tushman. I'm still reading. This is all very interesting and scarier by the moment. BTW, I never click like an idiot no matter who sends me links or where they appear. And I have ESET and MBAM running realtime. And Flashblock. Thanks again for taking the time to research and report all the gory details.

[Guest LilBambi]

Thanks to both Fran and Tushman. I'm still reading. This is all very interesting and scarier by the moment. BTW, I never click like an idiot no matter who sends me links or where they appear. And I have ESET and MBAM running realtime. And Flashblock. Thanks again for taking the time to research and report all the gory details.

You're welcome ... but believe it or not, I was actually only scratching the surface ... sadly. ;)Those exploit packs are scary for sure.I like your choices of protection.I personally use ESET and WinPatrol realtime, and MBAM once a week (non-real-time) or as needed, in combination with CCleaner, SpywareBlaster, using a non-OS provided browser, with security addons/extensions like Flashblock, NoScript, Pretty Good Privacy, AdBlock Plus, PDF Download, WOT, and a few others.My Jim says I am a bit paranoid (he can say that cuz he uses Linux ), but I have had to clean too many systems not to feel a bit paranoid about what's out there.

[frapper]

Yup, I run Spywareblaster, WOT, Flashblock, NoScript, AdBlock Plus, and others in addition to the ESET and MBAM. And, of course, I have a recent good image with Acronis.

[Guest LilBambi]

Yup, I run Spywareblaster, WOT, Flashblock, NoScript, AdBlock Plus, and others in addition to the ESET and MBAM. And, of course, I have a recent good image with Acronis.

Excellent!