CVE-2011-0609 - Adobe Flash Player ZeroDay - Update

Common Vulnerabilities and Exposures (CVE)number

 CVE-2011-0609

March 21, 2011 Security update available for Adobe Flash Player

 

A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

  General File Information

SAMPLE1

File   crsenvironscan.xls
MD5 4BB64C1DA2F73DA11F331A96D55D63E2
File size : 126,444 bytes
Type:  XLS
Distribution: Email attachment

SAMPLE 2

File   survey-questions_2011.xls
MD5 4031049FE402E8BA587583C08A25221A
File size : 108032 bytes
Type:  XLS
Distribution: Email attachment

SAMPLE 3

File   Tentative Agenda.xls
MD5 d8aefd8e3c96a56123cd5f07192b7369
File size : 123300 bytes
Type:  XLS
Distribution: Email attachment

SAMPLE4

File   Nuclear Radiation Exposure And Vulnerability Matrix.xls
MD5 7CA4AB177F480503653702B33366111F
File size :  279616 bytes
Type:  XLS
Distribution: Email attachment

Download

Download CVE-2011-0609 as a password protected archive. (Email me if you need the password)

Files included

• CVE-2011-0609_XLS-SWF-2011-03-08_4BB64C1DA2F73DA11F331A96D55D63E2_crsenvironscan.xls
• CVE-2011-0609_XLS-SWF_2011-03-12_4031049FE402E8BA587583C08A25221A_survey-questions_2011.xls
• CVE-2011-0609_XLS-SWF_2010-03_d8aefd8e3c96a56123cd5f07192b7369_Tentative Agenda.xls
• CVE-2011-0609_XLS-SWF_2011-03-17_Nuclear Radiation Exposure And Vulnerability Matrix.xls

Analysis Links

1. March 15 Villy from  BugiX - Security Research posted an interesting static analysis of the malicious sample.
Please check it out at CVE-2011-0609 - Adobe Flash Player ZeroDay

2.  March 16 CVE-2011-0609 payload a.exe analysis  http://shpata0xff.wordpress.com/2011/03/16/cve-2011-0609-payload-a-exe-analysis/

3.  March 16 Trojan.Linxder and the Flash 0-day (CVE-2011-0609)  FireEye Malware Intelligence Lab

4. March 16 Adobe Flash 0-day, China CNE Operators LoVeZ ‘em Veiled Shadows

5. March 18 Busting the APT can Wide Open  -Veiled Shadows  Very detailed and interesting post regarding connection of http://twitter.com/yuange1975 with this zero day exploit. I agree that yuange1975 on twitter is the author of the exploit or connected to the author,  but am not sure whether the real yuange1975 or 袁哥, who is known as Yuan Colombian "the hacker #1" is the author of tweets, his real English skills are much worse - check out his Full Disclosure posts. The last Sample 4 also carries Yuan.SWF (thanks to villys777 for pulling it out) , which is another link to our friend. Please note, we are talking about the author of the exploit, not the senders. The senders of the payload are those who bought 0day from "Yuange" and used it for the attack. Now, would be nice to know who they are too.

6. March 18  A Technical Analysis on the CVE-2011-0609 Adobe Flash Player Vulnerability Jeong Wook Oh & Marian Radu

7. March 19 Attack Using CVE-2011-0609 shellcode and flash analysis by Broderick(F-Secure) 

Original Message, Sender and Headers

SAMPLE1

Subject: Environmental Scan Matrix of Risk and Security Organizations

Partial headers
Received: from [75.148.254.114] by web121120.mail.ne1.yahoo.com via HTTP; Tue, 08 Mar 2011 05:57:57 PST
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.292656
Date: Tue, 8 Mar 2011 05:57:57 -0800 (PST)

SAMPLE 4

 Received: (qmail 2936 invoked from network); 17 Mar 2011 14:54:06 -0000
Received: from mail-iw0-f195.google.com (HELO mail-iw0-f195.google.com) (209.85.214.195)
  by XXXXXXXXXXXXXXXXXXX 17 Mar 2011 14:54:06 -0000
Received: by iwn19 with SMTP id 19so678003iwn.6
        for XXXXXXXXXXXXX; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=0xRgb5+/fvZxd0/qwfyRCbJDcn6ChfzZlNrsKyAv2wc=;
        b=qGVeBRR/w/6570uTsq5FFwodcGrtx2AfEjO99oW5dvgXV3mfqxhCy5Z2tEJDNOyMUx
         ptroBCJneuZvbzhbieQ+AszVNPj5iK/R74AhWrOX7Qi2bd8zYXlPquoRLsOPA/tjtiO0
         whvjpmP9PZoa0/bqKEYNXoiWY8aCvIqdTr+O0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=ad7u5tW0S8k16ETcmnMIxdWUwZdK5ImqIlb1/DJkhSycWu99llJVQEhx1E9flh6IPc
         ie6Ed9DNccVoWoKyHWby/9ZImkDKRvt3tx4gNB/0azF/PAh71ZNRdZbHGiKNiAjETmC0
         FyijnpVHFkwVMerRhj03F7VyQCCQR/hLU0uec=
MIME-Version: 1.0
Received: by 10.43.49.10 with SMTP id uy10mr1977189icb.407.1300373646197; Thu,
 17 Mar 2011 07:54:06 -0700 (PDT)
Received: by 10.231.166.139 with HTTP; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
Date: Thu, 17 Mar 2011 10:54:06 -0400
Message-ID:
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis
From: Merrie Sasaki
To: XXXXXXXXXXX
Content-Type: multipart/mixed; boundary="bcaec529952141c4e3049eaed56e"

Original Message

SAMPLE 4

From: Merrie Sasaki [mailto:merrie.sasaki@gmail.com]
Sent: Thursday, March 17, 2011 10:54 AM
To: XXXXXXXXXXXXXXX
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis

The team has poured in heart and full dedication into this.
Would be grateful if you appreciate it.
      
V/r,
Merrie
      
Dr. Merrie Sasaki
Team Leader, Nuclear Materials Operation
Office of Nuclear Security and Incident Response
U.S. Nuclear Regulatory Commission
21 Church Street: C2-A07M
Washington, DC 20555

Automatic Scans

File name:crsenvironscan.xl_
Submission date:2011-03-16 10:21:16 (UTC)
Result:9 /43 (20.9%)
http://www.virustotal.com/file-scan/report.html?id=350943b8187458d880cd47ed881d0695e1373d44ed55a1ff963c631173bff06a-1300270876
AhnLab-V3     2011.03.16.04     2011.03.16     Dropper/Cve-2011-0609
BitDefender     7.2     2011.03.16     Exploit.CVE-2011-0609.A
Commtouch     5.2.11.5     2011.03.16     MSExcel/Dropper.B!Camelot
DrWeb     5.0.2.03300     2011.03.16     Exploit.SWF.169
Emsisoft     5.1.0.2     2011.03.16     Exploit.CVE-2011-0609!IK
GData     21     2011.03.16     Exploit.CVE-2011-0609.A
Ikarus     T3.1.1.97.0     2011.03.16     Exploit.CVE-2011-0609
Microsoft     1.6603     2011.03.16     Trojan:Win32/Malfws.A
TrendMicro-HouseCall     9.200.0.1012     2011.03.16     TROJ_ADOBFP.B
MD5   : 4bb64c1da2f73da11f331a96d55d63e2

File name:survey-questions_2011.xls
http://www.virustotal.com/file-scan/report.html?id=454f624958298bf76c5b7ffa1509159b827856095d41672707fcf6416a818ddb-1300269042 
Submission date:2011-03-16 11:21:13 (UTC)
Current status:queued queued analysing finished
Result:13/ 43 (30.2%)
AhnLab-V3    2011.03.16.04    2011.03.16    Dropper/Cve-2011-0609
BitDefender    7.2    2011.03.16    Exploit.CVE-2011-0609.A
DrWeb    5.0.2.03300    2011.03.16    Exploit.SWF.169
Emsisoft    5.1.0.2    2011.03.16    Win32.SuspectCrc!IK
eSafe    7.0.17.0    2011.03.15    Win32.Dropper
F-Secure    9.0.16440.0    2011.03.14    Exploit:W32/XcelDrop.F
GData    21    2011.03.16    Exploit.CVE-2011-0609.A
Ikarus    T3.1.1.97.0    2011.03.16    Win32.SuspectCrc
Kaspersky    7.0.0.125    2011.03.16    Trojan-Dropper.MSExcel.SwfDrop.a
Microsoft    1.6603    2011.03.16    Trojan:Win32/Malfws.A
Symantec    20101.3.0.103    2011.03.16    Trojan.Dropper
TrendMicro    9.200.0.1012    2011.03.16    TROJ_ADOBFP.A
TrendMicro-HouseCall    9.200.0.1012    2011.03.16    TROJ_ADOBFP.A
MD5   : 4031049fe402e8ba587583c08a25221a

File name: Tentative Agenda.xls
http://www.virustotal.com/file-scan/report.html?id=db04002f898e2e8090a2cf1bb3af615d478d746f8986aef7a715e2e322abe42b-1300298219
Result: 8/ 43 (18.6%)
AhnLab-V3 2011.03.17.00 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
Commtouch 5.2.11.5 2011.03.16 MSExcel/Dropper.B!Camelot
DrWeb 5.0.2.03300 2011.03.16 Exploit.SWF.169
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
Sophos 4.63.0 2011.03.16 Troj/XLSDrp-A
VIPRE 8722 2011.03.16 Exploit.SWF.CVE-2011-0609.a (v)
MD5   : d8aefd8e3c96a56123cd5f07192b7369 



 Nuclear Radiation Exposure And Vulnerability Matrix.xls
Submission date:2011-03-19 15:06:10 (UTC)
Result:8/ 43 (18.6%)
 http://www.virustotal.com/file-scan/report.html?id=c4ad40b6b002039fb07bd6539f9003dffb0f46440822e85198a8502a3828d3a3-1300547170
AntiVir    7.11.5.1    2011.03.18    DR/OLE.HiddenEXE.Gen
AVG    10.0.0.1190    2011.03.19    Generic21.AVXW
BitDefender    7.2    2011.03.19    Exploit.D-Encrypted.Gen
Commtouch    5.2.11.5    2011.03.19    MSExcel/Dropper.B!Camelot
F-Secure    9.0.16440.0    2011.03.19    Exploit.D-Encrypted.Gen
GData    21    2011.03.19    Exploit.D-Encrypted.Gen
McAfee    5.400.0.1158    2011.03.19    Exploit-CVE2011-0609
Sophos    4.63.0    2011.03.19    Mal/PdfExDr-B
 MD5   : 7ca4ab177f480503653702b33366111f