Showing posts with label CVE-2010-1297. Show all posts
Showing posts with label CVE-2010-1297. Show all posts

Wednesday, July 28, 2010

CVE-2010-1297 Flash exploit variants

We haven't seen too many variations of the Flash exploit CVE-2010-1297, so we decided to take a look to see if there were a lot of samples using the proof on concept ones. Our tests showed some variation - 6 different embedded Flash files used in attacks:

Malware with pad.swf - Flash variant a (26810 bytes, 49ddb9b210e773b987b9a25678f65577):
306d7e608a52121aa4508e9901e4072e (AES 128b PDF Encryption)

Malware with kp.swf - Flash variant b (1297 bytes, ea24ea1063f49c594f160a57c268d034):

Malware with flate encoded Flash variant c (27181 bytes, 0ab61f2fe334e22b4defb18587ae019f; inflated Flash variant d 53345 bytes, ac69d954d9e334d089927a1bc875d13d):

Flash variant e (53902 bytes, 8286cc6dc7e2193740f6413b6fc55c7e):

Flash variant f (26774 bytes, bd7eac5ae665ab27346e52278f367635):

Flash variant g (26774 bytes, 4666a447105b483533b2bbd0ab316480):

Posted by at No comments:
Labels: ,

Monday, July 19, 2010

Worst Social Engineering Ever

From a recent submission via the email intake - hereyougo at vicheck.ca:

With a subject line of a invitation to a Tibetan event, invitation.rar (3026984137716828cf8f55b10bb0069) contained the aptly named "exploit.pdf" which certainly inspires confidence to open the attachment:

exploit.pdf:
EXECUTABLE SCAN: PDF Exploit Embedded Flash may be CVE-2010-1297 (genexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=ee81327f15db183f83815754fbfad5dd
Exploit method detected as genexploit - PDF Exploit Embedded Flash may be CVE-2010-1297.
Confidence ranking: 100 (11 hits).

Embedded EXE is encrypted with a 256 byte key as well as a simple replacement cipher.

Drops:
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Comments (Atom)