We have helpful information that can help us identify the exploit kit used in the Adobe Flash zero-day attack we blogged about yesterday. Adobe states in their advisory that the related vulnerability, CVE-2015-0313, affects current versions (Adobe removed version 11.x and earlier from affected software). At first, we figured that the exploit kit involved was Angler Exploit Kit because of the URL's characteristics. So we tested it using Angler HTML parameters and found that SWF_EXPLOIT.MJST can be run. Another clue that led us to think it was Angler is because the obfuscation method is very similar.
Figure 1. Similar obfuscation methods between two recent zero-days. (Click to enlarge)As Kafeine, an independent researcher pointed out to me, the attack is much more similar to the Hanjuan Exploit Kit. The said exploit kit is very much directed towards capturing US traffic from a specific domain, via a specific ad platform. While it would be difficult to identify the exact exploit kit used in this specific run, based on clues from the domain/IP, the upper level HTML and the history of the exploit kit, I think it is reasonable and appreciate his help. In terms of impact, however, the threat is still as potent as ever. An in-the-wild zero-day exploit added to the very effective malvertising scheme should make us think twice about how careful we think we are when we are browsing online. Malvertisements are an old style of malware delivery but they remain incredibly notorious because websites have no choice but to load ads and trust whatever content is served by third parties. Users, on the other hand, also have no choice but to accept ads as a part of their everyday browsing experience. Well, we say “no choice” lightly, but in reality, IT administrators have much more secure options available to them. While updating software is a baseline best practice, this will do nothing for this attack at this time. Enterprise and home users should consider disabling Flash Player at least until the new patch is released—which Adobe will be doing so within the week. We also tested the exploit against Google Chrome and found that it cannot escape the sandbox. Trend Micro products have been protecting users from this attack from the beginning through different technologies. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can also be used to detect this threat by its behavior without any engine or pattern update. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention also protects against exploits that target browsers or related plugins. Trend Micro™ Deep Security, Vulnerability Protection (formerly the Defense Firewall plug-in for OfficeScan) and Deep Discovery customers with the latest rules also have an additional layer of protection against this vulnerability. Specifically, Trend Micro releases the following rules and patterns:
- Deep Security rule DSRU15-004
- Deep Packet Inspection (DPI) rule 1006468 for Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan)