Tuesday, March 15, 2011

CVE-2011-0609 - Adobe Flash Player ZeroDay - Update

Common Vulnerabilities and Exposures (CVE)number

  General File Information


File   crsenvironscan.xls
MD5 4BB64C1DA2F73DA11F331A96D55D63E2
File size : 126,444 bytes
Type:  XLS
Distribution: Email attachment


File   survey-questions_2011.xls
MD5 4031049FE402E8BA587583C08A25221A
File size : 108032 bytes
Type:  XLS
Distribution: Email attachment


File   Tentative Agenda.xls
MD5 d8aefd8e3c96a56123cd5f07192b7369
File size : 123300 bytes
Type:  XLS
Distribution: Email attachment


File   Nuclear Radiation Exposure And Vulnerability Matrix.xls
MD5 7CA4AB177F480503653702B33366111F
File size :  279616 bytes
Type:  XLS
Distribution: Email attachment


Download CVE-2011-0609 as a password protected archive. (Email me if you need the password)

Files included
  • CVE-2011-0609_XLS-SWF-2011-03-08_4BB64C1DA2F73DA11F331A96D55D63E2_crsenvironscan.xls
  • CVE-2011-0609_XLS-SWF_2011-03-12_4031049FE402E8BA587583C08A25221A_survey-questions_2011.xls
  • CVE-2011-0609_XLS-SWF_2010-03_d8aefd8e3c96a56123cd5f07192b7369_Tentative Agenda.xls
  • CVE-2011-0609_XLS-SWF_2011-03-17_Nuclear Radiation Exposure And Vulnerability Matrix.xls

Analysis Links

1. March 15 Villy from  BugiX - Security Research posted an interesting static analysis of the malicious sample.
Please check it out at CVE-2011-0609 - Adobe Flash Player ZeroDay

2.  March 16 CVE-2011-0609 payload a.exe analysis

3.  March 16 Trojan.Linxder and the Flash 0-day (CVE-2011-0609)  FireEye Malware Intelligence Lab

4. March 16 Adobe Flash 0-day, China CNE Operators LoVeZ ‘em Veiled Shadows

5. March 18 Busting the APT can Wide Open  -Veiled Shadows  Very detailed and interesting post regarding connection of with this zero day exploit. I agree that yuange1975 on twitter is the author of the exploit or connected to the author,  but am not sure whether the real yuange1975 or 袁哥, who is known as Yuan Colombian "the hacker #1" is the author of tweets, his real English skills are much worse - check out his Full Disclosure posts. The last Sample 4 also carries Yuan.SWF (thanks to villys777 for pulling it out) , which is another link to our friend. Please note, we are talking about the author of the exploit, not the senders. The senders of the payload are those who bought 0day from "Yuange" and used it for the attack. Now, would be nice to know who they are too.

6. March 18  A Technical Analysis on the CVE-2011-0609 Adobe Flash Player Vulnerability Jeong Wook Oh & Marian Radu

7. March 19 Attack Using CVE-2011-0609 shellcode and flash analysis by Broderick(F-Secure) 

Original Message, Sender and Headers


Subject: Environmental Scan Matrix of Risk and Security Organizations

Partial headers
Received: from [] by via HTTP; Tue, 08 Mar 2011 05:57:57 PST
X-Mailer: YahooMailRC/559 YahooMailWebService/
Date: Tue, 8 Mar 2011 05:57:57 -0800 (PST)


 Received: (qmail 2936 invoked from network); 17 Mar 2011 14:54:06 -0000
Received: from (HELO (
  by XXXXXXXXXXXXXXXXXXX 17 Mar 2011 14:54:06 -0000
Received: by iwn19 with SMTP id 19so678003iwn.6
        for XXXXXXXXXXXXX; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma;
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma;
MIME-Version: 1.0
Received: by with SMTP id uy10mr1977189icb.407.1300373646197; Thu,
 17 Mar 2011 07:54:06 -0700 (PDT)
Received: by with HTTP; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
Date: Thu, 17 Mar 2011 10:54:06 -0400
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis
From: Merrie Sasaki
Content-Type: multipart/mixed; boundary="bcaec529952141c4e3049eaed56e"

Original Message


From: Merrie Sasaki []
Sent: Thursday, March 17, 2011 10:54 AM
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis

The team has poured in heart and full dedication into this.
Would be grateful if you appreciate it.
Dr. Merrie Sasaki
Team Leader, Nuclear Materials Operation
Office of Nuclear Security and Incident Response
U.S. Nuclear Regulatory Commission
21 Church Street: C2-A07M
Washington, DC 20555

Automatic Scans

File name:crsenvironscan.xl_
Submission date:2011-03-16 10:21:16 (UTC)
Result:9 /43 (20.9%)
AhnLab-V3     2011.03.16.04     2011.03.16     Dropper/Cve-2011-0609
BitDefender     7.2     2011.03.16     Exploit.CVE-2011-0609.A
Commtouch     2011.03.16     MSExcel/Dropper.B!Camelot
DrWeb     2011.03.16     Exploit.SWF.169
Emsisoft     2011.03.16     Exploit.CVE-2011-0609!IK
GData     21     2011.03.16     Exploit.CVE-2011-0609.A
Ikarus     T3.     2011.03.16     Exploit.CVE-2011-0609
Microsoft     1.6603     2011.03.16     Trojan:Win32/Malfws.A
TrendMicro-HouseCall     2011.03.16     TROJ_ADOBFP.B
MD5   : 4bb64c1da2f73da11f331a96d55d63e2

File name:survey-questions_2011.xls 
Submission date:2011-03-16 11:21:13 (UTC)
Current status:queued queued analysing finished
Result:13/ 43 (30.2%)
AhnLab-V3    2011.03.16.04    2011.03.16    Dropper/Cve-2011-0609
BitDefender    7.2    2011.03.16    Exploit.CVE-2011-0609.A
DrWeb    2011.03.16    Exploit.SWF.169
Emsisoft    2011.03.16    Win32.SuspectCrc!IK
eSafe    2011.03.15    Win32.Dropper
F-Secure    9.0.16440.0    2011.03.14    Exploit:W32/XcelDrop.F
GData    21    2011.03.16    Exploit.CVE-2011-0609.A
Ikarus    T3.    2011.03.16    Win32.SuspectCrc
Kaspersky    2011.03.16    Trojan-Dropper.MSExcel.SwfDrop.a
Microsoft    1.6603    2011.03.16    Trojan:Win32/Malfws.A
Symantec    20101.3.0.103    2011.03.16    Trojan.Dropper
TrendMicro    2011.03.16    TROJ_ADOBFP.A
TrendMicro-HouseCall    2011.03.16    TROJ_ADOBFP.A
MD5   : 4031049fe402e8ba587583c08a25221a

File name: Tentative Agenda.xls
Result: 8/ 43 (18.6%)
AhnLab-V3 2011.03.17.00 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
Commtouch 2011.03.16 MSExcel/Dropper.B!Camelot
DrWeb 2011.03.16 Exploit.SWF.169
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
Sophos 4.63.0 2011.03.16 Troj/XLSDrp-A
VIPRE 8722 2011.03.16 Exploit.SWF.CVE-2011-0609.a (v)
MD5   : d8aefd8e3c96a56123cd5f07192b7369 

 Nuclear Radiation Exposure And Vulnerability Matrix.xls
Submission date:2011-03-19 15:06:10 (UTC)
Result:8/ 43 (18.6%)
AntiVir    2011.03.18    DR/OLE.HiddenEXE.Gen
AVG    2011.03.19    Generic21.AVXW
BitDefender    7.2    2011.03.19    Exploit.D-Encrypted.Gen
Commtouch    2011.03.19    MSExcel/Dropper.B!Camelot
F-Secure    9.0.16440.0    2011.03.19    Exploit.D-Encrypted.Gen
GData    21    2011.03.19    Exploit.D-Encrypted.Gen
McAfee    5.400.0.1158    2011.03.19    Exploit-CVE2011-0609
Sophos    4.63.0    2011.03.19    Mal/PdfExDr-B
 MD5   : 7ca4ab177f480503653702b33366111f

1 comment:

  1. Hi, I'm new to analyze flash exploit..
    can you enlighten me on how can i place a breakpoint on the vulnerable swf?