Right now there are a number of reports about a lethal Internet cocktail: an zero-day Adobe Flash exploit and widespread (20,000 domains at the time of writing) domains compromised via SQL injection to spread the drive-by-download attack. It feels like one of those days when you tell your friends to take a day off from using the Internet.
I was forwarded some links to the exploit and its payload by Ryan Naraine and spent a few hours reversing the exploit, its payload, and the malware that it downloads. It turns out that the whole attack just steals World of Warcraft passwords, which would have been nice to find out 4 hours ago when Ryan posted it, but I was having fun in IDA Pro instead of Twitter-land and pagination is disabled on the website and I missed it.
Anyway, here is a quick walkthrough:
- The flash.swf file exploits an unpatched vulnerability in Flash (UPDATE @ 20080529: It turns out that it was not an unpatched vulnerability, but a vulnerability that was fixed in the Flash 126.96.36.199 update released on April 8th)
- The exploit payload uses familiar techniques to lookup API functions by a 32-bit hash value, and uses URLMON.DLL to download an executable to C:\6123t.exe and runs it.
- The downloaded executable disables Kaspersky Anti-Virus (what, they don’t have any others in China?) extracts a UPX-packed DLL (Ow.dll) from its resources segment and loads it as a keyboard hook DLL.
- The keyboard hook targets World Of Warcraft and uploads captured information to the attacker’s server disguised as HTTP requests.
Overall, nothing too complicated, but there are some funny bits where the downloaded executable calls a ton of GDI functions to retrieve various values and does nothing with the results (am I missing something here?):
CODE:00401714 push 0 ; dwFlags
CODE:00401716 push 0 ; lpSig
CODE:00401718 push 0 ; hdc
CODE:0040171A call GetTextCharsetInfo
CODE:0040171F push 0 ; hdc
CODE:00401721 call GetFontLanguageInfo
CODE:00401726 call GetDoubleClickTime
CODE:0040172B push 0 ; bPrevious
CODE:0040172D push 0 ; hCtl
CODE:0040172F push 0 ; hDlg
CODE:00401731 call GetNextDlgTabItem
CODE:00401736 push 0 ; color
CODE:00401738 push 0 ; hdc
CODE:0040173A call GetNearestColor
Still 20k sites were compromised, a reliable Flash zero day exploit was burned, and the threatcon was raised to steal WoW passwords? I know that the size of the WoW economy rivals many nations, but I still find it somewhat strange.
UPDATE @ 20080528: The Adobe PSIRT is now reporting that the vulnerability is not zero-day, but is in fact a different exploit for the recent vulnerability reported by Mark Dowd. The exploit that I looked at appeared somewhat different in structure from Dowd’s, but it does use the same corrupt DefineSceneAndFrameLabelData tags and DoABC ActionScript bytecode tags. It looks like I jumped the gun on this one and it is actually just a different exploit for the same vulnerability. I have also just found a much more thorough analysis and description of the same exploit that I was looking at on the ThreatExpert blog.