Fierce Flash: threats from Flash 0DAY

Text/Miao Deyu (the author wrote many very vivid articles)

Flash animation is popular on the Internet thanks to its fascinating animation effects and a variety of practical and easy-to-use functions. Now, Flash has changed from a webpage control that needs to be downloaded and installed to a default browser standard control, today, almost every website on the Internet will have its presence. However, when Flash becomes a standard, the danger of surging shadows also begins to come ......

 

Flash 0-day Lethal Effect

In the hot summer of July, a dangerous network ghost appeared on the Internet recently. This ghost first appeared in the CanSecWest 2008 Pwn2Own hacker competition, security Objectives organization hacker Shane Macaulay broke through the Fujitsu U810 laptop running Windows Vista operating system by exploiting a Security vulnerability in Adobe Flash software. His success earned him a Fujitsu laptop and a $5000 prize.

TIPS: Flash is the standard for interactive vector graphics and Web Animation released by Adobe. Web designers use Flash to create a beautiful and scalable navigation interface and other distinctive effects.

Along with the news, Flash 0DAY soon attracted the attention of many hackers. Many hacker websites in China are also selling Flash 0-Day web Trojans. Currently, dozens of hacker forums and QQ hacker groups are selling these Trojans on the Chinese network, in his post, the virus author claims that "the latest Flash ODAY network horse has a medium rate of over 70% and has passed ie7. Price for building a building without profit only: 5000. for purchase, please contact the QQ group :*****".

TIPS: 0-day usually refers to a vulnerability exploitation program without Patches. The person who provides the exploitation program is usually the first person to launch the vulnerability or the first person who discloses the exploitation details.

These Flash 0-day Trojan generators sold on the network claim to have a moderate horse rate of more than 70%. They can use IE7, free of viruses, no pop-up windows, and full patches. This is true, because the Trojan Infection is caused by the Flash plug-in vulnerability, which may affect Firefox or other third-party browsers, in addition to the IE browser, it even affects all Flash-related applications, such as qqxiu. Because of this, many hackers began to use the 0DAY to steal accounts during the summer vacation.

 

Flash Vulnerability Principle

Compared with the previous Flash vulnerabilities, this Flash vulnerability is extremely harmful. According to the announcement provided by Adobe, a total of seven Flash problems need to be fixed this time. They are:

(1) A heap overflow vulnerability exists when processing the Declare Function (V7) Tag;

(2) integer overflow vulnerability in processing multimedia files;

(3) The DNS rebinding attack may be caused by an error when the host name is bound to an IP address;

(4) errors in sending HTTP headers may cause cross-domain policy files to be bypassed;

(5) An error in the forced cross-domain policy file may cause certain security restrictions to be bypassed on the Web server hosting the file;

(6) When the "asfunction" protocol is processed, the input of some parameters is not correctly verified and then returned to the user, this may cause arbitrary HTML and script code injection in the user's browser.

To put it simply, the main cause of this vulnerability is a Virtual Machine function named ActionScript Virtual Machine (AVM) used after Flash9.0. This virtual machine is used to execute the ActionScript script used in Flash. However, AVM checks whether the script is credible and valid before executing the ActionScript script. Because untrustworthy and unverified ActionScript scripts allow Flash Player to execute any code commands, it means that hackers can construct any attacking program, but strict verification of AVM has always made Flash very safe.

The Flash vulnerability is not a major threat in a strict sense. It is just a null pointer collision problem, but a hacker cleverly thinks that the use of this NULL pointer can destroy the process of AVM's verification of ActionScript, allows you to construct malicious scripts to run successfully in Flash without AVM verification. Using this method, hackers can easily implement cross-platform and cross-browser Flash vulnerabilities by using commands to download and execute remote program scripts. Moreover, Flash Player does not use ASLR Security Technology on Windows Vista, so this vulnerability can be used smoothly on Vista, becoming the most threatening hacker Of The Year.

 

Flash 0-day exploitation method

Flash 0-day Trojans can be created in two ways. One is to automatically generate SWF files containing malicious code by using the Flash 0-day Trojan, another method is to modify and compile the SWF file that contains malicious code. How do hackers use these tools to create Flash 0-day Trojans? In fact, the current Flash 0-day production process is very simple. Generally, you only need to enter a trojan link address in the Trojan generator to generate a SWF Trojan, however, the process of disguising a SWF Trojan on a webpage requires a lot of skills. Next, we will explain some disguised steps used by hackers in recent days.

[Case 1] SWF Forum embedding

Step 1: First open the Flash 0-day Trojan generator, enter the configured Trojan address in the generator input window, and then Click "Click" to generate a SWF Trojan

 

Step 2: Open "Flash file encryptor" and click "Select & add file" to add the file to the generated SWF file. In the "select encryption method" field, select the third item "play after encryption without a password", and then click "execute encryption ".

Step 3: First upload the encrypted SWF file to the network server through the website space or blog, and then view the source code in the browser to extract the URL address of the SWF file. In the next forum release process, we will use PHPWind Forum as an example. After registering the Forum ID, first click the "post" button, and then click the "insert Flash Animation" button at the top of the editing window, you can use the default value to set the Flash window size. Then, enter the URL link address of the SWF file. After clicking "OK", you can see the code for calling the Flash file in the editing window, at this point, you only need to click Publish to browse this post and the users who have not been patched will be recruited.

The Flash release code of each forum is different. Hackers often determine how to release the code based on the actual situation.

Feature Analysis: Many hackers use this method to walk viruses and Trojans in the forum. This method has a high probability of Trojans, but it is also easy to be detected by anti-virus software and forum administrators.

 

[Case 2] SWF file embedding technology

Step 1: download an SWF Flash Animation file with a relatively high click rate on the Flash Animation Website, and then open the Flash decompilation software "Sothink SWF Decompiler ", click the "quick open" button on the software interface to open the downloaded SWF animation file. Click the "export FLA" button to convert the SWF animation to the FLA format.

Step 2: Open the Flash animation software "Flash CS3 ". After the software is opened, click "file" and select "open" to import the converted and saved FLA file. Right-click the animation frame and click "action". On the displayed editing page, select "ActionScript1.0 & 2.0" in the "Action/frame" column, select the "loadMovie" command in the pop-up menu, and then click "not_set_yet.loadMovie (" 0dayfile name .swf ", mySquare)" in the right window )".

Step 3: Save the file after entering the information, click "file" in the menu and select "publish" to export the animation to SWF format again. The Flash 0-day Trojan SWF file generated by the generator is stored in the same directory as the published file. In this case, use IE to open the generated Flash Animation Trojan. You can see that when the Flash animation is played, the SWF file displays the hidden Trojan.

Feature Analysis: this is a highly disguised SWF Trojan hiding method. Hackers often choose this method because of its high pseudonature, which is not easy to detect by victims. However, using this method requires you to have your own website space, so it has certain limitations.

 

Flash 0-Day Defense Technology

Although this Flash vulnerability poses a great threat, you can log on to the official website of Adobe Flash to download an upgraded version of Adobe Flash Play.

In addition, you can click "Tools" in the IE browser menu and select "enable or disable add-on" in "Manage Add-on ", in the displayed window, select "add-on used in Internet Explorer". After the directory is updated, click "Shockwave Flash Object" in the directory ", click "Disable" in settings and click "OK ".

In the Firefox browser, you can click "Tools" in the menu, select the "additional components" option, and click the "plug-in" button in the pop-up dialog box, find "Shockweva Flash" in the list below and click "Disable.