It has become common for cybercriminals to exploit unpatched vulnerabilities. For Adobe, in particular, this issue has become a continuous challenge, as zero-day exploits continuously target its most popular applications—Adobe Reader, Acrobat, and Flash Player.
Earlier this month, the second major flaw Adobe has yet to resolve this year, led to a new zero-day exploit in Adobe Acrobat. A week later, yet another critical flaw in Adobe Flash Playerwas exploited in the wild. This affected multiple platforms, including Windows, Mac, Linux, Solaris, and Android. When exploited, this vulnerability can cause a system to crash and can allow an attacker to execute malicious commands on and thereby take control of an affected system.
Chasing Waterfalls May Lead to a Backdoor
The new Adobe Flash Player exploit arrives on a system as a malicious .SWF file Trend Micro detects as SWF_DLOADR.APP. When executed, it displays an animated waterfall to hide its malicious routines and to trick users into thinking that there is nothing wrong with their systems.
Figure 1. SWF_DLOADR.APP infection diagram
Based on further analysis, the attackers may have derived the animated waterfall from a normal .SWF file then modified it to verify if the exploit works. Hackers use the technique known as fuzzing to discover new vulnerabilities in different applications.
The malicious file connects to URLs to download a backdoor Trend Micro detects as BKDR_POISON.AKD, which opens a hidden Internet Explorer window. It then connects to a remote malicious server and waits for commands to be issued. Once it establishes a connection, it obtains information from an affected system.
Script Kiddies Follow Suit
Trend Micro detects another exploit that takes advantage of the said vulnerability as SWF_TOOBERR.A. Similar to the earlier exploit, it tries to connect to certain websites to download more malicious files. However, the malicious sites were already inaccessible at the time of analysis.
One notable characteristic of this malware is that embedded in its code is a message from the malware author thwarting antivirus companies.
This behavior is reminiscent of the early days when virus writers used to leave traces of their identity or some sort of message within the code. They do this to get credit for the malicious codes and gain popularity among their peers. While some malware writers still do this today, most serious hackers or cybercriminals always kept their identities and their malicious codes hidden, especially from security researchers.
Through this behavior and based on the way the message was written, one could only assume that the code was most probably created by a script kiddy who relied on other prewritten programs to create the code. Although this may not pose a threat as critical as SWF_DLOADR.APP does, the fact that an inexperienced malware writer was able to exploit the vulnerability makes it even more troubling to think what real cybercriminals can do with vulnerabilities like this.
User Risks and Exposure
Based on the results of a Millward Brown survey for Adobe, “Adobe Flash Player is the world's most pervasive software platform, used by 3 million professionals and reaching 99 percent of Internet-enabled desktops in mature markets as well as wide range of devices.”
It is undoubtedly the most popular movie player today across almost all platforms and various online devices, indicating a huge target base for spreading malicious codes. For this reason, cybercriminals will continue to look for more flaws to exploit within this application.
Zero-day exploits give cybercriminals an opportunity to compromise systems within a certain period of time because software publishers cannot immediately release patches to fix the flaws on their applications. In effect, users remain vulnerable to attacks until the patches are released. In most cases, this could take days, weeks, or even months because software publishers usually have regular patch releases and because releasing an out-of-band patch still depends on the assessment of the company involved.
Users who are interested in watching or playing Flash programs have yet to be more wary of the sites they access and so may most likely fall victim to this threat. SWF_DLOADR.APP usually arrives via malicious sites and downloads a backdoor that leaves affected systems susceptible to compromise. Once compromised, cybercriminals can steal information from and even take control of affected systems.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.
In this particular attack, Smart Protection Network protects users by detecting the malicious files that exploit this vulnerability via the file reputation service. Its Web reputation service, on the other hand, blocks access to the malicious URLs and servers the malware accesses. Blocking these sites prevents SWF_DLOADR.APP and SWF_TOOBERR.A from connecting to and/or sending and receiving information from remote malicious sites.
Trend Micro Deep Security and OfficeScan enterprise users with the Intrusion Defense Firewall plug-in with rule number 1004403 are also protected from this threat.
Since cybercriminals typically take advantage of flaws in software to plant malware on systems, keeping one’s software current will minimize exposure to vulnerabilities. Apply the latest security updates and patches to software programs and OSs and enable automatic updates if possible. For this exploit, Adobe has released a product update to resolve the issue. Users are highly advised to update their software so as not to be a victim of this threat.
The following post at the TrendLabs Malware Blog discusses this threat: