Via Symantec Connect Blog -
While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.
[...]
Both of these shellcode samples hook UnhandledExceptionFilter, MessageBeep, and LdrShutdownThread, and are fairly advanced. It appears that the goal of the shellcode author was to protect the zero-day and hide the attack from the victim. We have seen this shellcode before! We wrote about it in 2008 in the blog titled "Protecting Zero-Day." It was used in a targeted attack against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability (BID 32721). That makes three attacks using this private shellcode to target zero-days over a period of two years. It is quite common to have a shellcode that is used in many attacks; for this reason, we started to examine the similarities between the malware used in both of the attacks
[...]
Funnily enough, the filename for the DLL used in the IEPeers attack is 'wshipl.dll' and the filename for the DLL that was used in this recent attack is 'wshipm.dll', suggesting an incremental version increase in versions from ”l” to ”m.” This is all very interesting. It is difficult to look at these similarities without drawing the conclusion that these attacks are linked by methodology and tool chain.
Of course it is impossible to say for sure, but it certainly seems like the attacker(s) that targeted the Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability this month also participated in the IEPeers attack from March 2010, and potentially even participated in the targeted attack against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability in 2008. The term Advanced Persistent Threat (APT) is fashionable at the moment—and we hesitate to use it—but an active attacker that uses a zero-day to target their victims over such a long period of time seems to be the kind of attacker that this term applies to, which should be a concern for those who are working to protect their infrastructure and assets.
No comments:
Post a Comment