Quick Analysis of CVE-2011-0609 Adobe Flash Player

Adobe recently reported the existence of a new zero day flaw in flash player affecting flash player 10.2.152.33. and prior. The vulnerable binary is authplay.dll which ships with Adobe Reader. The attack makes use of a SWF file embedded inside an Excel file, which is delivered as an email attachment. The vulnerability can allow an attacker to inject and execute malicious code on a target system. I executed the malicious sample file and got a snapshot of the memory image. When I execute the command to list all the processes spawned, the process having pid 1548 looks suspicious. The process svchost.exe having a PID 1548 gets started after all the other svchost.exe processes have started.

The next step which became obvious was to check for the path from where this process has been started. The filesvchost.exe should be in system32 folder. If the process is legitimate then the path for the file should point to system32 directory. However in this case the path of the file svchost.exe pointed to my desktop. So the process id 1548 is malicious.

Next step was to check if the process is opening any sockets. It seems that process 1548 is opening sockets at port 1034.

So the malicious excel file when executed drops another malicious file titled “svchost.exe” at the desktop which opens socket at port 1034. Alert Logic customers are protected against the vulnerability.