On June 14, Adobe released updates and a security bulletin (APSB11-18) referencing attacks affecting Adobe Flash Player (versions 10.3.181.23 and earlier). These attacks have been observed as hosted on webpages containing malformed SWF files. We spent some time analyzing this Flash Player vulnerability (described in CVE-2011-2110) and are providing some technical details of this in-the-wild exploit.
The following steps describe how the SWF constructs the shellcode:
- The SWF downloads a binary file from a URL which is specified in the HTML file. The attacker can simply change the HTML file to reuse the exploit to download another file.
- The SWF decrypts the binary file with a simple XOR operation.
- The SWF then decompresses the decrypted data.
- The SWF builds up a shellcode including ROP gadget addresses which saves the decompressed data to “%TEMP%scvhost.exe” and executes it.
Details of the exploitation process:
Unlike other SWF exploits, this exploit doesn't use heap-spray technique. Instead, it uses a 3-stage ROP-based attacking process, which can be described as the following:
- The malformed SWF leverages the vulnerability in the Adobe Flash Player and mocks up a fake Object data structure with a deliberately crafted VTABLE (virtual table), which can cause the control transfer from the JIT (Just-In-Time) compiled code to the ROP gadgets built from the Flash Player DLL.
- The ROP gadgets call VirtualAlloc( ) to allocate an executable memory region and build the following trampoline code into it.
- The trampoline code calls VirtualProtect() to make the aforementioned shellcode built by the SWF executable and then executes it.
Figure 1: ROP address adjustment according to Flash version and container type
The unique thing about this malware is that it is version-specific when constructing shellcode. Rather than just using a static shellcode, it's building it according to the Flash Player version and the type of container holding the SWF file (see Figure 1 above). Based on this information, it's adjusting the ROP gadget addresses (see Figure 2 below). Every gadget address is inside the Flash Player's own DLL and this makes the exploit process very stable. Currently we saw the malware targeting versions 10.3.181.14, 10.3.181.22 and 10.3.181.23.
Figure 2: The dynamically built shellcode based on Flash Player version
The downloaded PE file
The downloaded PE file executed by the shellcode is detected as PWS:Win32/OnLineGames.ZDV (SHA1: 4a13a14523fe95817cc53c75f86ee4af36ee2464) which specifically targets the Korean online games community. This focus on Korea has been also evident in our telemetry from our protected Microsoft Security Essentials and Forefront customers, where, aside from one day (June 22) where attacks increased in Europe and Russia, attack attempts have been predominantly reported from computers in Korea.
Figure 3: MMPC Telemetry on CVE-2011-2110 Attack Attempts during June 17 – 30, 2011
-- Jeong Wook Oh, Chun Feng & Marian Radu