Reply
Fri 18 Jul, 2008 07:33 am
Co-worker reports one of his computers was infected through a Flash exploit that in turn launched a Java script that then uses either Quicktime or WMP to download the payload.
Any idea what this might be? Seems pretty sophisticated, not your average teen hacker anyway.
They've known about the flash exploit for some time. I posted a thread on it back in May.
http://www.able2know.org/forums/viewtopic.php?t=117200
DrewDad wrote:From a security advisory from one of our vendors:
Quote:Attackers insert SCRIPT and IFRAME tags into the content of trusted, legitimate web sites via a known SQL injection attack. Those tags redirect the user to the attacker's server which hosts the Flash exploit. Tens of thousands of web sites are vulnerable to the SQL injection attack, meaning the distribution potential is high.
...
The only confirmed vulnerable version is (pre-patch) 9.0.115.0.
...
**** advises clients to verify that all Adobe Flash installations are running version 9.0.124 or later. This version may also be referred to as "9f", "9,0,124,0", "9.0 r124" or similar. However, Adobe Flash does not store version information in the registry. For individual PCs, the version of the currently installed Flash Player can be determined by visiting this Adobe web page:
http://www.adobe.com/products/flash/about/
...
Payloads vary but generally include the installation of downloaders, backdoors, and password stealing spyware Trojans. While detection of the various Trojans is good on average, some remain undetected by major AV engines. None of the major AV engines detected the actual exploit Flash file at the time this advisory was written. Now that samples have been obtained, anti-virus companies are updating their signatures accordingly.
My flash player was at 9.0.115.0. I'm upgrading now.
http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash