Thursday, March 17, 2011

Trojan.Linxder and The Flash 0-day (CVE-2011-0609)

Via FireEye Malware Intelligence Lab Blog -

Adobe recently reported the existence of a new zero day flaw in flash player which, according to them, can affect flash player and earlier versions. Soon after, additional news broke out showing that this flaw had been used as part of limited targeted attacks. The initial attacks used a swf file embedded inside an MS excel file to lure users into clicking it. Once a user opens this excel file, the flash file embedded inside gets activated, exploiting this vulnerability. Bugix-security blog described the exploitation process in great detail here.

Today, I would like to extend this analysis by talking more about the malware behind the exploit. What kind of malware is this? What does it do, and who might be the people behind this attack? During the course of my investigation, I found some clues leading me to the potential hackers behind these attacks. My preliminary analysis shows that Chinese hackers are probably the master minds of this attack. I will come to reasons for this conclusion later.


From a user perspective it happens very quickly:

Attacker Excel file---> Exploit SWF ---> a.exe ---> svshost.exe & crsenvironscan2.xls

One can see that an unaware user will feel that he has actually opened crsenvironscan2.xls.


As I have explained above, this excel file is just there to deceive the end user into thinking that he/she has actually opened a benign file. The attackers knew that for this attack to execute successfully, without leaving any tell-tale traces behind, they need to provide a valid data file compelling enough to lure users into clicking it.


One can see that last saved date (3/8/2011) is very close to the known release time of this attack. Apparently it looks as if this file was last saved on a computer having loged-in username as 'linxder'.

Who is this linxder? My colleague Darien pointed me to few links on google that tells us that a guy named “linxder” is a known chinese threat actor. This guy is an old-school hacker that has a fairly expansive social network.


If one searches linxder's baidu profile, we can see that he talks a ton about weaponizing flash containers in other file formats, which is exactly what happens in this attack.

Based on this evidence it can be said with a reasonable confidence that the chinese hackers are the master minds of this attack. Although it's also possible that some rival group is trying to mislead the world by wrongly involving linxder in this matter.

No comments:

Post a Comment