The piece of malware that’s being used to exploit the unpatched Adobe Flash bug that was disclosed Thursday looks like sort of a run-of-the-mill Trojan, but an analysis shows that it does have some unique features.
The Trojan is known by a couple of names, including Sykipot, and its infection routine is somewhat familiar. After installation, however, things start to get a little bit odd. The malware checks a pair of command-line options, one of which is a command that will uninstall the malware. The “-removekys” option will completely remove the bot, a consideration that most malware authors aren’t thoughtful enough to include in their creations.
But that’s not all the surprises that the bot has in store, according to an analysis by Kaspersky Lab researcher Tillmann Werner. The malware eventually downloads an encrypted configuration file from a remote server, and it’s that file that’s got the intriguing bits.
Searching the web for strings from this file reveals an interesting connection with a piece of malware that was spreading at the beginning of this year. Similar to the current bot, this earlier virus exploits a zero-day vulnerability, collects information about the infected machine and sends it back to its master. A still earlier version is reported to exploit another Flash zero-day.
A nice thing is that each configuration download request contains all
the necessary information to track down infected hosts in a network.
Below is what the HTTP GET request for the config file looks like. The
path contains one parameter assembled from the Windows host name and its
IP address with the prefix ‘-nsunday‘ and is quite unique. Also note the Referer field, which is always set to http://www.yahoo.com/, and the characteristic Accept header. Constructing a reliable IDS signature should not be too hard.
Adobe won’t have a patch available for the Flash bug until Nov. 7, so it’s likely that there will be other exploits attacking the vulnerability before then, as well. This is just the first shot.
Read Werner’s full analysis of the Flash exploit here.