Adobe Flash 0-day exploit (July 22, 2009)

SonicWALL UTM Research team found reports of new 0-day vulnerability (CVE-2009-1862) in Adobe Flash player v9 and v10 being exploited in the wild via malicious drive-by sites.

The exploit is being actively served in the wild via following URL that is found to be injected into pages of infected websites:

• sorla.us/(REMOVED)x/mail.asp

The above page will only load with a valid referrer field containing the URL of one of the infected pages. The active server page contains script to identify user's browser environment and based on that loads one of the following pages:

• If browser is not Internet Explorer, iframe URL- sorla.us/(REMOVED)x/ff.html
• If browser is Internet explorer and has flash ActiveX installed, iframe URL- sorla.us/(REMOVED)x/ie.html
• if browser is Internet Explorer and script cannot create a valid flash ActiveX object, iframe URL- sorla.us/(REMOVED)x/mpg.html

The code snippet can be seen below:

In the first two cases, ff.html and ie.html contains JavaScript to download and run malicious Shockwave flash file that exploits 0-day vulnerability in Adobe Flash player:

• sorla.us/(REMOVED)x/xp.swf [Detected as GAV: Pidief_2 (Exploit)]

It also downloads XORed Backdoor Trojan executable file from following URL:

• sorla.us/(REMOVED)x/xor.gif [Detected as GAV: Agent.ROX (Trojan)]

Screenshot of 0-day exploit in action causing the flash player object and browser to crash can be seen below:

In the third case, mpg.html page contains JavaScript that further checks for the presence of specific host AntiVirus software from Kaspersky and McAfee. If the AntiVirus software is not present then it tries to exploit Microsoft DirectShow Msvidctl vulnerability.

The code snippet for AntiVirus presence detection can be seen below:

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Pidief (Exploit), GAV: Pidief_2 (Exploit), GAV: Pidief_3 (Exploit) and GAV: Agent.ROX (Trojan) signatures.