Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits.
Here's a screenshot of one such email, provided by Contagio:
The related XLS samples have these hashes:
4bb64c1da2f73da11f331a96d55d63e2
4031049fe402e8ba587583c08a25221a
d8aefd8e3c96a56123cd5f07192b7369
7ca4ab177f480503653702b33366111fand we detect them as Exploit.CVE-2011-0609.A and Exploit:W32/XcelDrop.F.
Another sample we've seen (md5:20ee090487ce1a670c192f9ac18c9d18) is an Excel file containing an embedded Flash object that exploits a known vulnerability (CVE-2011-0609). When the XLS file is opened, it shows an empty Excel spreadsheet and starts exploit code via a Flash object.
The Flash object starts by doing a heap-spray containing the following shellcode:
This first shellcode only loads and passes execution to a second shellcode embedded in the Excel file:
The second shellcode is responsible for decrypting and executing a EXE file (also embedded in the Excel file):
In the meantime, the Flash object constructs and loads a second Flash object in runtime:
This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap. We generically detect the Flash object as Exploit.CVE-2011-0609.A.
As an aside: the main exploit appears to have been delivered in this fashion in an attempt to evade detection. As it is loaded in memory, no physical file is available for scanning by an antivirus engine. Embedding the Flash object that loads the main exploit in an Excel file may be an attempt to further disguise the attack.
Fortunately, the malicious Excel file and its embedded EXE file are detected as Exploit.D-Encrypted.Gen and Trojan.Agent.ARKJ, respectively.
Still, users should update their Flash player as Adobe has already released a patch for this particular vulnerability. For more information, please see their security advisory for CVE-2011-0609.
-----
Analysis by - Broderick
http://www.f-secure.com/weblog/archives/00002127.html
沒有留言:
張貼留言