We are researching a couple of highly prevalent pieces of malware, and may be drawing some links between the two.
Thousands of websites have been compromised and are spreading phony “get_flash_update.exe” files via a “showvideo.html” page titled “Watch Free Movie”. But you won’t be watching “Out of Africa” once this malware gets dropped on your system. This executable provides months old malicious functionality when, instead of updating flash, it drops “CbEvtSvc.exe” to the system directory and runs this trojan from there. Exploit pages that we’ve examined also deliver files with static names like “wXtwRzv.exe” and the slightly more camouflaged “C:/Documents and Settings/All Users/Start Menu/Programs/Startup/smss.exe”.
Clicking on one of these links takes the user to malicious sites presenting a page with an apparently persuasive social engineering scheme, enticing the user to run a flash update with a blank video mockup. A popup appears with “Flash player: Incorrect version”:
This sort of blended threat attack is somewhat like the Storm sites of last year, where the administrators of the malicious content attempt to con the user into manually running the malware if their drive-by exploits from 1.html fail in the browser background. The themes varied a bit more and were more creative than this one. So far, we’ve seen the following vulnerabilities targeted by canned exploits on these sites:
Old reliable MS06-014 MDAC Vulnerability (nothing new here)
The fresh new Microsoft Office Snapshot Viewer ActiveX control race condition
The one year old Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
A one year old stack overflow in GomManager
The recent RealPlayer.Console heap vulnerability
The 2006 ancient WebViewFolderIcon.setSlice integer overflow vulnerability. Thanks HD, the gift keeps on giving.
The exploit page utilizes reliable heap spray techniques to deliver its standard download and exec shellcode for the overflow attempts.
We will continue to research this one and provide more details here. The interest here is mostly in the large scale effort to spread this months old malware and serve it up on newly compromised sites under a somewhat different name. The spam is mostly the same, as it has been spread as video.exe, video.avi.exe, and others.
Our hunch is that a IM worm or spammed link over the past several days was dropping an ftp password stealer that in turn collected the passwords to upload these “showvideo.html” pages and other content alongside the usual content to these legitimate sites. The sites continue to serve up legitimate pages as well. There were CuteFtp and other stealers, distributed in prevalence, with random names starting “wins
In the meantime, if you need to update your Flash player, only do so at the legitimate Adobe site.