NEWS FROM THE LAB - Wednesday, March 23, 2011

Attack Using CVE-2011-0609 Posted by Response @ 02:55 GMT

Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits.

Here's a screenshot of one such e-mail, provided by Contagio:


The related XLS samples have these hashes:

  •  4bb64c1da2f73da11f331a96d55d63e2
  •  4031049fe402e8ba587583c08a25221a
  •  d8aefd8e3c96a56123cd5f07192b7369
  •  7ca4ab177f480503653702b33366111f

We detect them as Exploit.CVE-2011-0609.A and Exploit:W32/XcelDrop.F.

Another sample we've seen (md5:20ee090487ce1a670c192f9ac18c9d18) is an Excel file containing an embedded Flash object that exploits a known vulnerability (CVE-2011-0609). When the XLS file is opened, it shows an empty Excel spreadsheet and starts exploit code via a Flash object.

The Flash object starts by doing a heap-spray containing the following shellcode:


This first shellcode only loads and passes execution to a second shellcode embedded in the Excel file:


The second shellcode is responsible for decrypting and executing an EXE file (also embedded in the Excel file):

second shellcode


In the meantime, the Flash object constructs and loads a second Flash object in runtime:


This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap. We generically detect the Flash object as Exploit.CVE-2011-0609.A.

As an aside: the main exploit appears to have been delivered in this fashion in an attempt to evade detection. As it is loaded in memory, no physical file is available for scanning by an antivirus engine. Embedding the Flash object that loads the main exploit in an Excel file may be an attempt to further disguise the attack.

Fortunately, the malicious Excel file and its embedded EXE file are detected as Exploit.D-Encrypted.Gen and Trojan.Agent.ARKJ, respectively.

Still, users should update their Flash player as Adobe has already released a patch for this particular vulnerability. For more information, please see their security advisory for CVE-2011-0609.

Threat Solutions post by — Broderick