Pages

Friday, August 17, 2012

CVE-2012-1535 - 7 samples and info


I was still writing my analysis when Alienvault posted CVE-2012-1535: Adobe Flash being exploited in the wild and mine would be pretty much the repeat of the same. I don't like repeating so I will just post the samples and link to Jaime Biasco's article.  As you see from SSDeep they are nearly identical in size, exploit, and payload. All Word documents were authored by "Mark" and have same strings and indicators present as in the analyzed file.

CVE #

CVE-2012-1535
Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited in the wild in August 2012 with SWF content in a Word document.

Download

 Note nearly identical ssdeep

919708b75b1087f863b6b49a71eb133d
MedalTop10.doc MedalTop10.doc
3072:hHNqm9x2CAUTfK4TSwQ59LJWKMFjBKFyimr9VZf2y6:htqAcCAUDK4TVoxJXKjBKFyXr9VZS
------------------------------------------------------
c0c83fe9f21560c3be8dd13876c11098
page 1-2.doc
3072:hHNqm9x2CAUTaK4TSwQ59LJWKMFjBKFy+w1KIeLwhtqAcCAU2K4TVoxJXKjBKFy+vw
------------------------------------------------------
65090678746d74b4f32cc5977e2bad95 
tickets.doc
3072:hHNqm9x2CAUTMKFThwQ59LJWKMFjBKFN4tBYVglzIeLwhtqAcCAUIKFTioxJXKjBKFN4tOVgzw
------------------------------------------------------
d512d9544907a3589eba64f196aec0d7
TYBRIN Project Review Report_Aug 12.doc
3072:hHNqm9x2CAUTkKAbTLwQ59LJWKMFjBKFyabQlzIeLw:htqAcCAUIKSTUoxJXKjBKFyabQzw
------------------------------------------------------
8b47310c168f22c72a263437f2d246d0
Message_from_PerInge.doc
3072:hHNqm9x2CAUT5KAbTLwQ59LJWKMFjBKFyabQlzIeLwhtqAcCAU1KSTUoxJXKjBKFyabQzw
------------------------------------------------------
ad3aa76dd54f6be847b927855be16c61
Running Mate.doc
3072:hHNqm9x2CAUTDKRTnwQ59LJWKMFjBKFaeoLzIeLw:htqAcCAUXKRTwoxJXKjBKFaeoNw
------------------------------------------------------
7e3770351aed43fd6c5cab8e06dc0300
iPhone 5 Battery.doc
3072:hHNqm9x2CAUTuKRTnwQ59LJWKMFjBKFS/JEVglzIeLw:htqAcCAUCKRTwoxJXKjBKFShEVgzw

------------------------------------------------------



Automatic scans

SHA256:     2904c0f9786253e4a7327e816cbbb173274f056d074ad8259f79af2216363333
SHA1:     c0a8ce03dc262ddef0c8a74b4619f17ba164b9d7
MD5:     919708b75b1087f863b6b49a71eb133d
File size:     291.5 KB ( 298496 bytes )
File type:     MS Word Document
Tags:     cve-2012-1535 doc exploit
Detection ratio:     9 / 42
Analysis date:     2012-08-17 02:20:33 UTC ( 2 hours, 57 minutes ago )
AhnLab-V3     Dropper/Cve-2012-1535     20120816
Avast     SWF:CVE-2012-1535 [Expl]     20120816
Commtouch     MSWord/SWFDropper.A!Camelot     20120817
GData     SWF:CVE-2012-1535     20120817
Kaspersky     Exploit.SWF.Agent.gq     20120817
Microsoft     Exploit:SWF/ShellCode.G     20120817
nProtect     Exploit/W32.CVE-2012-1535.298496.B     20120816
Sophos     Troj/SwfExp-BB     20120817
TrendMicro-HouseCall     -     20120817
ViRobot     SWF.A.EX-Agent.298496     20120816

page 1-2.doc
SHA256:     5332fec6d0dc326718152e8c17125ba44f1e4c2c0e8659fc671758501274d0f2
SHA1:     f0280d29b42aefeb46555af39af651780001e749
MD5:     c0c83fe9f21560c3be8dd13876c11098
File size:     291.5 KB ( 298496 bytes )
File name:     page 1-2.doc
File type:     MS Word Document
Tags:     cve-2012-1535 doc exploit
Detection ratio:     14 / 42
Analysis date:     2012-08-16 14:21:44 UTC ( 14 hours, 58 minutes ago )
AhnLab-V3     Dropper/Cve-2012-1535     20120816
Avast     SWF:CVE_2012_1535 [Expl]     20120816
BitDefender     Exploit.Shellcode.AV     20120816
Commtouch     MSWord/SWFDropper.A!Camelot     20120816
Emsisoft     Exploit.SWF.Shellcode!IK     20120816
F-Secure     Exploit.Shellcode.AV     20120816
Fortinet     W32/Baddoc.B!tr     20120816
GData     Exploit.Shellcode.AV     20120816
Ikarus     Exploit.SWF.Shellcode     20120816
Kaspersky     Exploit.SWF.Agent.gq     20120816
Microsoft     Exploit:SWF/ShellCode.G     20120816
nProtect     Exploit/W32.CVE-2012-1535.298496.C     20120816
Sophos     Troj/SwfExp-BB     20120816
Symantec     Trojan.Mdropper     20120816

65090678746d74b4f32cc5977e2bad95 
tickets.doc
SHA256:    b88996c2b43400a3ddbaa7f28889f06e85f088e6213ed45fb08b1ada835eb563
SHA1:    8e455149a77006b2ddf2150451a24bc841bae434
MD5:    65090678746d74b4f32cc5977e2bad95
File size:    291.5 KB ( 298496 bytes )
File type:    MS Word Document
Detection ratio:    8 / 42
Analysis date:     2012-08-17 05:24:51 UTC ( 0 minutes ago )
AhnLab-V3    Dropper/Cve-2012-1535    20120816
Avast    SWF:CVE-2012-1535 [Expl]    20120816
Commtouch    MSWord/SWFDropper.A!Camelot    20120817
GData    SWF:CVE-2012-1535    20120817
Kaspersky    Exploit.SWF.Agent.gq    20120817
Microsoft    Exploit:SWF/ShellCode.G    20120817
Sophos    Troj/SwfExp-BB    20120817
Symantec    Trojan.Mdropper    20120817
 
d512d9544907a3589eba64f196aec0d7 
TYBRIN Project Review Report_Aug 12.doc 
SHA256:     9ebbafd859ccdd87bebf9562d4d15eef05ddc5f939e77e03d2e40591328558da
SHA1:     893b8ddafc1f127f189a439bef5f1e9f46caaeda
MD5:     d512d9544907a3589eba64f196aec0d7
File size:     291.5 KB ( 298496 bytes )
File name:     TYBRIN Project Review Report_Aug 12.cod
File type:     MS Word Document
Detection ratio:     0 / 42
Analysis date:     2012-08-13 23:20:32 UTC ( 3 days, 6 hours ago )

8b47310c168f22c72a263437f2d246d0 
Message_from_PerInge.doc 
SHA256:     d5ad0a664731e1dee43c493c92bf8db2bd6831cf0bd15f89b65e0bbb4a72b35b
SHA1:     f58d019756ba41b117f070c8acb9addba6b119fc
MD5:     8b47310c168f22c72a263437f2d246d0
File size:     291.5 KB ( 298496 bytes )
File name:     Message_from_PerInge.doc
File type:     MS Word Document
Detection ratio:     0 / 39
Analysis date:     2012-08-13 12:36:18 UTC ( 3 days, 16 hours ago )



ad3aa76dd54f6be847b927855be16c61
Running Mate.doc

n/a

7e3770351aed43fd6c5cab8e06dc0300
iPhone 5 Battery.doc

SHA256:     742db588c3cfa416215619db34e168be58846058f7528adee8358bb8b8b68fe3
SHA1:     b4562ef0cd54234374ff9d24e0d1b01c1db5e873
MD5:     7e3770351aed43fd6c5cab8e06dc0300
File size:     291.5 KB ( 298496 bytes )
File name:     file-4380428_
File type:     MS Word Document
Tags:     cve-2012-1535 doc exploit
Detection ratio:     15 / 42
Analysis date:     2012-08-17 02:10:07 UTC ( 3 hours, 21 minutes ago )
AhnLab-V3     Dropper/Cve-2012-1535     20120816
Avast     SWF:CVE-2012-1535 [Expl]     20120816
Commtouch     MSWord/SWFDropper.A!Camelot     20120817
Emsisoft     Exploit.SWF.Shellcode!IK     20120817
ESET-NOD32     SWF/Exploit.CVE-2012-1535.A     20120816
F-Prot     CVE2012153     20120817
GData     SWF:CVE-2012-1535     20120817
Ikarus     Exploit.SWF.Shellcode     20120817
Kaspersky     Exploit.SWF.Agent.gq     20120817
Microsoft     Exploit:SWF/ShellCode.G     20120817
nProtect     Exploit/W32.CVE-2012-1535.298496     20120816
Sophos     Troj/SwfExp-BB     20120817
Symantec     Trojan.Mdropper     20120817
TrendMicro     TROJ_MDROP.EVL     20120817
TrendMicro-HouseCall     -     20120817
ViRobot     DOC.S.CVE-2012-1535.298496     20120816

 

6 comments:

  1. Mila,
    Something went wrong with VT as Sophos detect all 7 files. Thanks for these samples :)

    pob

    ReplyDelete
  2. good job,some vendor detect as shellcode,some identified cve No.

    ReplyDelete
  3. Hello Mila
    Thanks for up blog
    are you have html poc or swf poc or action script?

    ReplyDelete
  4. Yesterday Adobe released APSB12-18, which addressed CVE-2012-1535. As noted in the Adobe bulletin, the vulnerability has been actively exploited in the wild, though primarily in targeted attacks wrapped in Microsoft Word documents.

    ReplyDelete
  5. Whats the password for the archive?

    ReplyDelete