The Flash zero day that made its way into the Angler exploit kit was wrapped in multiple layers of obfuscation and has the ability to inject its malicious payload straight into users’ browsers.
In the last week, since the news broke of the Adobe Flash zero-day flaw appearing in the Angler kit, security researchers have spent quite a bit of time analyzing the vulnerability and the way in which it’s being used. Researchers at Websense found that the exploit code for the vulnerability is hidden inside a Flash file that is in turn wrapped in an SWF file. The goal of the attackers in using this technique is to hide their true intentions–and their exploit code–from security systems for as long as possible.
Flash vulnerabilities are highly valuable for attackers, as the software is deployed on hundreds of millions of machines around the world and users aren’t always on the ball about updating it. Attackers have been using Flash vulnerabilities for many years, and their inclusion in common exploit kits is a regular occurrence now. Less than a week ago, security researcher Kafeine identified some instances of the Angler exploit kit that were using a previously unknown Flash vulnerability in drive-by download attacks, mainly against Internet Explorer. Soon thereafter, the Angler crew adjusted its code and began attacking Firefox, as well.
“Adobe Flash has always been a good investment for exploit kits, but with the recent decline in the number of Java exploits (because of various advances made by Oracle and the browsers in this regard), attackers seem to be re-focusing their efforts at finding vulnerabilities in Adobe’s products,” Tamas Rudnai of Websense wrote in an analysis of the latest Flash zero day.
Rudnai found that the initial wrapper used in the Angler exploit was obfuscated ActionScript. After unwinding that layer, Rudnai ran into some issues trying to make his way through the other methods the attackers used to hide their wares. After a couple of false starts, Rudnai decided to get down to basics.
“When all else fails, we have no choice but to go back to manual reverse engineering. The objective was to find the decryption method and try to understand the mechanism used, to be able to proceed to the next step. Once that was complete, replacing the original variable and method names with more meaningful ones, the big picture was in front of us,” Rudnai wrote.
He discovered the key used to decrypt the next portion of the code and eventually got down to the point where he had a compressed Flash file, which was hidden inside another file.
“To summarize, the exploit writers hid the malicious CWS file under the guise of a legitimate-looking SWF file and used multiple layers of obfuscation, compression, and encryption to evade security scanners,” Rudnai said.
Image from Flickr photos of Midnightzulu.