View All Vulnerabilities

Finjan prevents 0-day exploit of Adobe Acrobat Reader and Flash player vulnerability

By Anonymous  •  July 23rd, 2009  •   Vulnerabilities

Finjan’s Malicious Code Research Center (MCRC) has detected yet another case of a 0-day attack “in the wild”. This time, hackers are exploiting a vulnerability (CVE-2009-1862) in Adobe Acrobat/Reader and Flash player. By exploiting this vulnerability, the hackers can download and execute malicious code on the victim’s PC. According to Adobe, an update will be available only on July 31, 2009; leaving end users’ PC in the mean time unprotected. 
As with the previous 0-day attacks we reported, Finjan’s unified Secure Web Gateway (SWG) successfully detected and prevented the attempt to exploit the vulnerability and to execute code. By utilizing its patented real-time content inspection technology, Finjan’s SWG proactively prevented the attack without any update. 
As discovered by the MCRC research, the attack is being used on compromised website containing a script tag that loads the exploit from a remote malicious server. The malicious script uses heap spray technique to load the attack Shellcode and than loads a malcrafted Flash file that triggers the vulnerability. 
Following is a code snippet of the malicious script: 
Another interesting aspect of this exploit is that the embedded Shellcode in the script loads an obfuscated executable. This simple obfuscation is done in order to evade detection by signature-based security products. The downloaded malicious executable creates a Trojan DLL named “wmimachine2.dll” and registers it as service on the victim’s PC. 
When posting the exploit on VirusTotal, we found that none of the 40 Anti-Virus products detected it as malicious. 
Posting the Malicious script ended with a similar result – no detection. 
Posting the Malicious flash file ended with the same result – no detection 
Posting the Obfuscated payload ended with the same result – no detection. 
When browsing to the compromised site serving the 0-day attack via Finjan’s unified secure web gateway, users are protected as can be seen below: 
Posted by Golan Yosef

Tags:    |    |    |    |    |  

Comments are closed.