1 of 2 – WEB THREAT SPOTLIGHT

Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.

Figure 1. Adobe Flash Player vulnerability exploit infection diagram

ISSUE NO. 66 JUNE 21, 2010

Zero-Day Adobe Flash Player Exploits in a Flash Apart from ensuring that the threat landscape is consistently thriving, cybercriminals can also be depended on to jump at every single opportunity that arises. Zero-day vulnerabilities are no exception. Developers face the challenge of releasing updates before exploit attacks proliferate in the wild. Every time a software vulnerability is made public, users can expect cybercriminals to use it to their advantage faster than developers can say “patch.”

The Threat Defined Security experts are faced with an interesting scenario every time a zero-day vulnerability is disclosed. There are always two possibilities—developers will effectively fix the flaw before any major issue arises or cybercriminals will get an opportunity to spread malware via vulnerability exploits and developers are left with the task of cleaning up the mess they leave behind.

The recent zero-day exploit is a good example of the latter scenario. When Adobe released a security advisory about a Flash Player vulnerability, a zero-day exploit had already been found. Tagged as critical, the vulnerability (CVE-2010-1297) causes the application to crash and can allow remote users to execute malicious codes on an affected system.

Exploits in a Flash As evidenced by this and many other zero-day exploit attacks, cybercriminals waste no time in taking the opportunity to take advantage of vulnerable users. In this particular scheme, spammers sent email messages with an .SWF file embedded in a .PDF file attachment. Opening the attached file executes the .SWF file, which, in turn, results in exploitation of the Adobe Flash Player vulnerability.

The vulnerability currently exists in 10.0.x and 9.0.x versions of Flash, including the current version (10.0.45.2). Furthermore, authplay.dll or the vulnerable component is also used by Adobe’s PDF products. Consequently, both Acrobat and Reader 9.3.2 and earlier versions that belong to the 9.x family are also affected. Acrobat and Reader 8.x versions are not affected.

Opening Doors to Malware Vulnerability exploits typically lead not just to one malware infection but to several infections at the same time. In this attack, Trend Micro detects malicious files exploiting the vulnerability as TROJ_PIDIEF.WX. Once installed on a system, the Trojan connects to a malicious website to download a file detected as TROJ_SMALL.WJX, which, in turn drops a file detected as BKDR_PDFKA.W.

The backdoor leaves users susceptible not just to information theft but to involvement in cybercriminals’ money-making schemes as well because of its routines. More specifically, BKDR_PDFKA.W collects system information such as installed applications and IP configurations. It is likewise capable of downloading files from the Web and executing these on an affected system. As a result, the compromised machine can be used for pay-per-install (PPI) schemes that cybercriminals often use to spread malware and to build botnets.

User Risks and Exposure Given the speed by which cybercriminals exploit vulnerabilities, users are constantly victims in the making. It does not help either that patching systems is both a tiresome and time-consuming task for small businesses but even more so for enterprises that need to manage several systems.

2 of 2 – WEB THREAT SPOTLIGHT

Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.

In this attack, users face the added challenge of dealing with several vulnerable applications at once. Since the malicious files exploit vulnerabilities in Adobe Flash Player, Acrobat, and Reader, users should be sure to patch all these applications and make sure they do not leave any of them vulnerable.

In the end, it is still best to enable automatic updates whenever possible and to ensure that systems are consistently updated with the latest vendor-released patches. Since the threats in this attack arrive via spammed messages, users are likewise advised to practice discretion when opening email messages and when downloading and executing file attachments. Users should always be on the lookout for unsolicited email messages, dubious-sounding senders, and meaningless salad words. Such messages should be immediately deleted since spammers sometimes utilize invisible links that can inadvertently lead users to malicious websites.

Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ is a cloud-client content security infrastructure that automatically blocks threats before they reach you. A global network of threat intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grows, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall protection against data breaches, damage to business reputation, and loss of productivity.

In this attack, Smart Protection Network’s email reputation service blocks all emails related to this spam run. File reputation service detects and prevents the download of malicious files detected as TROJ_PIDIEF.WX, TROJ_SMALL.WJX, and BKDR_PDFKA.W. The Web reputation service likewise prevents access to the malicious sites.

Users are also advised to upgrade to the latest Flash Player version, which Adobe has announced in this security bulletin. Meanwhile, updates for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh, and Unix are expected to be released by June 29, 2010. As a workaround, users can manually delete the vulnerable component, authplay.dll. However, when this is done, all Flash contents within .PDF files cannot be opened. Users may see a crash or error message but this will not trigger the exploit.

Trend Micro Deep Security and Trend Micro OfficeScan already protect business users against the Adobe product authplay.dll remote code execution vulnerability via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with IDF rule number 1004202.

Non-Trend Micro product users may also benefit from using free tools like eMail ID, a browser plug-in that helps users identify legitimate email messages in their inboxes. The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/zero-day-flashacrobat-exploit-seen-in-the-wild/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.WX http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.WJX http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_PDFKA.W Other related posts are found here: http://www.adobe.com/support/security/advisories/apsa10-01.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297 http://blog.trendmicro.com/?s=zero-day http://en.wikipedia.org/wiki/Compensation_methods#Pay-per-install_.28PPI.29 http://blog.trendmicro.com/spotlighting-the-botnet-business-model/ http://get.adobe.com/flashplayer/ http://www.adobe.com/support/security/bulletins/apsb10-14.html