Recent Adobe Flash vulnerability is already abused in another mass compromise through another SQL injection attack. This current malware attack has been traced back to Chinese hackers, once again. They are using a zero-day exploit to infect users with password stealing malware.
This zero-day exploit taking advantage of an unknown vulnerability in Adobe Flash Player, allowing malicious users to install info stealing trojans on affected PCs. Integer overflow in Adobe Flash Player 184.108.40.206 and earlier, and 220.127.116.11 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file with a negative Scene Count value, which passes a signed comparison, is used as an offset of a NULL pointer, and triggers a buffer overflow.
Legitimate sites were found to have been injected with scripts that lead browsers silently to sites hosting exploits for the Flash vulnerability. Upon meeting certain system conditions that allow the exploitation to commence, PCs download and execute info-stealers (like TSPY_UPACK.D) or droppers (like TROJ_DROPPER.NAK), through infected .SWF files SWF_DLOADER.YVM and SWF_DLOADER.YVN, as they are detected by TrendLabs. More patterns in this infection detected as HTML_DLDR.BF, TSPY_UPACK.D, TROJ_DROPPER.NAK, HTML_DLDR.BF, TSPY_UPACK.D, TROJ_DROPPER.NAK.
Some domains in this attack spoof the domain name of legitimate and known phone company Nokia, as well as that of the popular online game Defense of the Ancients (DotA). Other domains are lkjrc.cn and woai117.cn (obviously, since .cn domains cost about 1 cent each).
Here is a list of domains that currently serve malicious files, as posted on Dancho Danchev blog:
At this moment there is no known patch available from Adobe, and no known workaround. Again, avoid visiting unknown sites or use Firefox with NoScript plugin.
Update (May 29): The malicious SWF file found in-the-wild has been found to affect Adobe Flash Player 18.104.22.168 and earlier, not the latest version 22.214.171.124.
According to Symantec this issue was believed to be unpatched and unknown, but further technical analysis has revealed that it is the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM. Adobe has released an official statement noting that Flash Player versions 126.96.36.199 aren’t affected by these attacks and confirming that the SWF files are in fact leveraging this flaw.
Users are advised to ensure that Flash is updated to version 188.8.131.52.
More on CyberInsecure: