Recently, a group of network friends sent a URL link, saying it was the recently opened personal space. Let me check it out. During the Security period, I opened the website link in the virtual machine. In about 3 seconds, the virtual machine speed is obviously slow. As a security enthusiast, intuition tells me that it may be a trick. In the command line (cmd.exe), run the netstat-ano command to find two suspicious connections. The port numbers are 4778 and 2407, respectively, connect to *. 30. 66. * at the same time, and the connection status is "ESTABLISHED ". (Figure 1)
2. Tracking
Is it webpage Trojan? No suspicious code is found in the source code of the webpage. Restart a virtual machine. The new system patch is installed on the virtual machine. The antivirus software is rising and the virus database is updated to the latest version. I re-opened the link and found a suspicious network connection in the command line like the first virtual machine.
Because the patch package is the latest, this indicates that the virtual machine was not recruited through system vulnerabilities; rising did not respond, which indicates that the trojan may be downloaded and run through an unknown new vulnerability, in addition, the kill-free processing of rising has been performed.
Therefore, the author pays attention to a URL-linked mm.swf in the code process. This should be linked to a flash file. However, I noticed that there was no flash animation on the webpage. This mm.swf file is located in the folder, with the size of 1 kb. Obviously, this swf file is very suspicious. Is this the Flash 0day that I saw on the IT expert network security sub-station a few days ago? (Figure 2)
3. Analysis
I checked it online and published a flash Vulnerability on 5.29, which is a high-risk vulnerability and allows arbitrary code execution. I decided to open it in notepad, maybe I could find the information about the Trojan horse. As a result, I opened it in notepad and found all garbled characters, which should be encrypted. (Figure 3)
Because it is a flash file, its decryption is different from the general file. Run Imperator FLA, a tool that restores a flash (swf file) to a fla file (flash source file. After conversion, a file named "mm _. fla" is obtained. Then open it in Notepad. After analysis, we found a suspicious connection to http: // syxh *. * .53dns.com/520/mm.exe, which is clearly the trojan address of the Releaser. (Figure 4)
The author downloads the trojan and runs it in the virtual machine. The suspicious connection is found in the command line. The above test proves that the author first adopted this latest flash 0day trick.
4. Exploitation
For further testing, I modified http: // syxh *. * .53dns.com/520/mm.exeto http://127.0.0.1/notepad.exein mm _. fla. Then, use flash 8.0to open the mm_.flag to regenerate the mm.swf file. Next, on the virtual machine where IIS server is deployed, I recorded beibeinotepad.exeto the site root directory. Then, I opened the mm.swf file and opened the Notepad program. (Figure 5)
So far, we have not only opened the operating mechanism of the Flash network horse, but also obtained a flash0day. In the security test, we only need to change the URL Connection.
5. Prompt
Because the flash 0day is the latest release or has not yet been released, I have tested that all browsers such as IE and Firefox are not affected by this vulnerability in the latest patch system, in addition, mainstream anti-virus software does not report viruses. At the same time, I tried to download the latest Flash Player version, which was also affected by the vulnerability.
Afterwards, the author asked the user in the QQ Group that the flash 0day was bought from a cool man without a generator. It told the seller that the trojan link was generated by the seller.
Therefore, there are no effective preventive measures for the Flash 0day. The best way to do this is to close the Flash playback of the browser in the near future. In addition, do not easily open URL connections or Flash games, Flash clips, etc.