New Adobe Flash Zero-Day found in the Wild

Posted: January 21, 2015 by Jérôme Segura
Last updated: March 30, 2016

Security researcher Kafeine has discovered a Zero-Day in Adobe Flash Player distributed through the Angler Exploit Kit. An Oday is an exploit for a vulnerability that has not been patched yet, meaning that even the most up-to-date systems could get infected.

[Edit: the vulnerability has now been assigned CVE-2015-0311]

Flash has been plagued with critical vulnerabilities in the past few months and surpassed the no longer popular Java as the most exploited plugin.

We immediately got our hands on this new Zero-Day (thanks Kafeine) and were able to replay it as well with the goal of testing our Anti-Exploit product:

With the latest version of Internet Explorer (IE11) and latest version of Flash (16.0.0.257), the exploit was successfully blocked by Malwarebytes Anti-Exploit.

On unprotected machines, the Angler Exploit Kit will install Bedep, a distribution botnet that can load multiple payloads on the infected host.

As this is a breaking story, we are still analyzing the exploit and will update this post later accordingly.

Update: 01/21/15: Some details about the malware payload.

The payload in this particular instance was ad fraud. Upon infection, explorer.exe (not to be confused with iexplore.exe) is injected and performs the ad fraud calls.

The following Fiddler capture shows how a zombie PC is gaming the ad networks with bogus requests without the victim’s knowledge:

Unfortunately it is very hard to tell apart real users from fake ones and advertisers essentially end up paying for “impressions” or “clicks” where a human being was never involved.

Update(2): 01/21/15: Firefox or Win 8.1 vulnerable with Flash Player vulnerability. See: here and here.

Update(3): 01/21/15: Microsoft releases FixIt for Windows 8 and 8.1 as well as Windows Server 2012.

Update(4): 01/22/15: Adobe releases a patch for CVE-2015-0310 which is a different vulnerability than the one mentioned here.

Update(4): 01/23/15: Malvertising campaign rides on Flash Zero-Day wave

We are tracking an ongoing campaign that is taking advantage of the latest Flash vulnerability. Major websites are unwillingly participating in the distribution of the Bedep Trojan via malicious ads propagated via various advertisers:

clkrev.com
ptrk-wn.com
clkoffers.com
affyieldmb.com
zeroredirect1.com
zb.zeroredirect2.com
onclickads.net

The campaign can be identified by rotating referers using the .eu TLD which redirect to Angler EK landing pages (.in TLD).

In some instances users get redirected to fake warning pages (tech support scams):

We will keep monitoring this campaign as it evolves.

Update(5): 01/24/15: Adobe releases patch for 0day

Adobe has released an update to the Flash Player to fix CVE-2015-0311. As always make sure you are downloading this update (version 16.0.0.287) ASAP, from the official site.

@jeromesegura

COMMENTS

Pingback: Exploit Kits: A Fast Growing Threat | Malwarebytes Unpacked()
Pingback: ste williams – Adobe Investigating New Flash Zero-Day Spotted In Crimeware Kit()
Pingback: Attack for Flash 0day goes live in popular exploit kit - TechCrawler()
Pingback: Attack for Flash 0day goes live in popular exploit kit | CTECH 3384()
Pingback: Attack for Flash 0day goes live in popular exploit kit | Daily Tech News()
Pingback: Attack for Flash 0day goes live in popular exploit kit | infopunk.org()
Pingback: Attack for Flash 0day goes live in popular exploit kit | Ad Jet()
Pingback: Attack for Flash 0day goes live in popular exploit kit * The New World()
Pingback: Attack for Flash 0day goes live in popular exploit kitClassy bikes for those classy days | Classy bikes for those classy days()
Pingback: Attack for Flash 0day goes live in popular exploit kit | Project Management Buzz()
Pingback: Exploit Kits: A Fast Growing Threat - InfosecHotspot()
Pingback: Flash 0-day under attack to spread ad fraud malware | Nagg()
Pingback: Flash zero-day flaw under attack to spread adware, botnet | Nagg()
Pingback: Známý exploit kit obsahuje exploit na zero-day zranitelnost Flashe » Kyber bezpečnost()
Pingback: Attack for Flash 0day goes live in popular exploit kit | 0-HACK()
Pingback: Neue Zero-Day-Lücke in Flash Player entdeckt | ZDNet.de()
Pingback: Zero-Day-Lücke in Flash Player ermöglicht Botnetze - silicon.de()
Pingback: Attack for Flash 0day goes live in popular exploit kit | The other line moves faster.()
Pingback: Attack for Flash 0day goes live in popular exploit kit | Change your style, keep your budget()
Pingback: Zero-Day Vulnerability in Adobe Flash Player Reported | eTeknix()
Pingback: Attack for Flash 0day goes live in popular exploit kit |()
Pingback: Sicherheitsproblem bei Adobe Flash Player – Deskmodder.de()
Nick Young

SO i am guessing this is a Flash Vulnerability and not a windows one specifically?
meowdotjar

Yes, it is a Adobe Flash vulnerability. I believe a patch has been released according to Brian Krebs, but I can not currently confirm.
Pingback: Attack for Flash 0day goes live in popular exploit kit | VIGALUM()
Pingback: Cool News Story Bro! Week of 01-23-2015 -()
MalwareBites

No, a patch has not yet been released. My other computer just got infected with this Angler Kit thing a few minutes before i read this LOL
Pingback: Exploit Kits: A Fast Growing Threat : Gold Canyon Computers / East Valley Geeks()
Pingback: Adobe Flash Malware Crushes Almost All Browsers | Virtual Media Assistant()
Pingback: A Week in Security (Jan 18 – 24) | Malwarebytes Unpacked()
Pingback: New Adobe Flash Zero-Day found in the Wild | MalwareBulletin()
Grey Nomad

‘Oh and don’t keep automatic updating on…’
True, True, True.
& don’t rely on Microsoft’s reasons for an update. Research online, & if in doubt wait a while (then research for problems found with the update) before installing the update.
Also back up your registry & make a restore point before installing any MS updates.
Diego Valle

if i update fire fox is became vulnerable or they infect my pc
Diego Valle

i have windows 7 is vulnerable to
Pingback: Top adult site xhamster involved in large malvertising campaign | Malwarebytes Unpacked()
Kerry R White

Typo? Update dates are for February.
zarathustra2k1

Did you even /read/ the article?

“Update(5): 02/24/15: Adobe releases patch for 0day

Adobe has released an update to the Flash Player to fix CVE-2015-0311. As always make sure you are downloading this update (version 16.0.0.287) ASAP, from the official site.”
Diego Valle

i dont understand they said if i upddate adobe flash is going to make more vulnerable my pc
Jeffrey Hope

The article updates from the second one on are postdated (it’ll be a few days before it’s February 2015).
Pingback: Flash Player victime d’une faille zero day exploitée | DFISysteme()
redwolfe_98

the issue is a vulnerability in adobe’s “flash player”.. the solution is to install the update for “adobe flash player”..

for people who are using “windows 8”, they get updates for “adobe flash player” by installing updates for “internet explorer”, which updates the “flash player”..

addtionally, as malwarebytes is telling you, if you use their “anti-exploit” program, it can protect you from being victimized by the exploit-kit that is taking advantage of the vulnerability in “adobe flash player”..

the thing to do is to keep everything, like “adobe flash player”, up-to-date.. that way, your computer is less likely to have a vulnerability that can be exploited, in order to install malware on your computer..

if you really want to lock down your computer, making it secure, i would suggest using the “firefox” browser along with the “adblock plus” and “noscript” addons.. “noscript” restricts javascript from running, which makes your browser more secure, to help to prevent “drive-by malware-infections”..
redwolfe_98

the problem is not with “firefox”.. the problem is a vulnerability in adobe’s “flash player”.. it is adobe’s “flash player” that you need to update, if you haven’t already done that..
Pingback: Cool News Story Bro! Week of 01-30-2015 -()
CoyoteMan50

Notice they are Google lines of code. lol
Do I have a bridge in San Francisco Bay to sell you! :)) :))
CoyoteMan50

Google still shadowing them librel commies in Berkeley. lmao
Theresa

Is there anyone that can help me?
mZomp

I never get infected with this stuff! Where do you all go to get this harmful stuff on your computer? Do you check domain names in emails? Websites?
mZomp

^ 1/24/15
I was like, wait a minute…it’s only 2/12/2015
Pingback: Top Adult Site RedTube Compromised, Redirects to Malware | Malwarebytes Unpacked()
Pingback: Attack for Flash 0day goes live in popular exploit kit - The Best Tech News()
CoyoteMan50

Get the latest version of Flash Player and Java Scripting language is all you can do.
For the record I never supported Java scripting language from the start because I understood it was too vulnerable to the criminal elements.
Pingback: Attack for Flash 0day goes live in popular exploit kit | Telly tv()
MalwareBites

Yeah I check the domain names, but I’m a tech junkie so sometimes i go to malicious website just for fun to see if my AV will detect it, which it does. For some reason I find it fun to remove viruses from my crappy computer. Oh, also, “I never get infected with this stuff!”. You might have the infection and just not know it.
mZomp

You’re right that it’s possible to be infected and not even realize it, but I too am a techie and programmer. I know what’s running on my machines and I’m 100% certain I’m not infected with anything. I agree with you that it is fun to remove the viruses. I actually like to watch what they do and have worked with source code for several of them, just to see the inner workings. I’ve never put anything I’ve recompiled out there for people to download though and I only work with viruses in virtual machines because it takes too long to setup a regular PC over and over.
MalwareBites

Ah, OK. I can’t use VMs on my computer because of its crap specs with 3GB DDR2 RAM, single core cpu, etc. When I get a decent new laptop I’ll start using VMs, but for the moment I run viruses in Sandboxie to prevent them from infecting me.
mZomp

My opinion, get yourself a good desktop machine and use it as your media center. I have my PC attached to my TV and watch everything there. I find it better than a Roku or Apple TV with having a mouse and keyboard. Then for a laptop get a surface 3 if you can afford one lol. I can’t yet so I just have an Asus Transformer. Any tablet works great for a laptop as long as it’s a windows tablet and you have a keyboard and mouse. Windows has built in Remote Desktop so when your tablet doesn’t have the horsepower then use your tablet to access the desktop with RDP. I’m sure as a techie yourself none of this is new to you, but feel free to ask me anything about my setup or technology related.
MalwareBites

Surface 3 looks awesome but its price is too high and its specs are terrible, right now I’m looking at an HP Envy 17t for its good price and its dual drive bays. I have a media center desktop, sometimes I use it but not really, I don’t watch TV and movies that much. As for the Windows tablet, we only have those HP and Dell ones and the Surface, and the prices for those are too high, or they can’t have a keyboard and mouse. Remote Desktop comes in handy, but I don’t use it much as I can just use Teamviewer, and because my laptop is the most powerful machine in the house usually. None of this is new to me, but thanks for the reply!
Pingback: Exploit Kit authors give up on Malwarebytes users | Malwarebytes Unpacked()
Pingback: Adobe solucionó una vulnerabilidad de Flash conocida tras las filtraciones de Hacking Team - Tecnovortex()
chepace

How does one know if they are infected? What symptoms would exist?

RELATED ARTICLES

Exploits | Threat analysis

Citadel: a cyber-criminal’s ultimate weapon?

November 5, 2012 - In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes...

CONTINUE READING No Comments

Exploits | Threat analysis

Web Exploits: a bright future ahead

January 2, 2013 - The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to...

CONTINUE READING 2 Comments

Exploits | Threat analysis

Zero-Day Java vulnerability wreaks havoc on computers worldwide

January 14, 2013 - Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you...

CONTINUE READING 1 Comment

Exploits | Threat analysis

New Exploit Kit, Ransomware and AV evasion

March 14, 2013 - Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and...

CONTINUE READING No Comments

Exploits | Threat analysis

Redkit Exploit Kit does the splits

April 5, 2013 - Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk...

CONTINUE READING No Comments

ABOUT THE AUTHOR

Jérôme Segura
Lead Malware Intelligence Analyst

Security researcher with a focus on exploits, malvertising and fraud.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

TOP POSTS

New Adobe Flash Zero-Day found in the Wild

Citadel: a cyber-criminal’s ultimate weapon?

Web Exploits: a bright future ahead

Zero-Day Java vulnerability wreaks havoc on computers worldwide

New Exploit Kit, Ransomware and AV evasion

Redkit Exploit Kit does the splits

Cybersecurity info you can’t do without