Adobe Zero-day Used in LadyBoyle Attack
Yesterday, Adobe released an out of cycle patch that fixed two zero-day vulnerabilities (CVE-2013-0633, CVE-2013-0634) for Adobe Flash Player 11.5.502.146 and earlier versions for both Windows and Macintosh. The patch was released because the zero-days were being actively exploited for attacks in the wild. Symantec recommends applying the patch immediately.
Reports of the attack seen in the wild using CVE-2013-0634 have been dubbed “LadyBoyle” following FireEye’s initial analysis of the attack. In the analysis they identified a class file, with the name LadyBoyle, that contained the exploit code. Symantec can confirm that these exploits were actively being distributed in targeted attacks in the wild. Figure 1 shows an example of a targeted attack email with a Word document attachment that contains CVE-2013-0634. Symantec Mail Security for Microsoft Exchange blocked the attack on February 4.
Figure 1. Targeted email containing exploit
If the targeted attack was successful and a victim opened the attached document, the flash object contained within the document would execute the flash zero-day (CVE-2013-0634), as seen in figure 2.
Figure 2. Targeted attack using CVE-2013-0634
As seen in Figure 2, Symantec has detections in place for the stages of this attack as Trojan.Mdropper, Trojan.Swifi, and Backdoor.Boda. Once a system has been compromised with Backdoor.Boda it will contact a command-and-control (C&C) server hosted at iee.boeing.job.com, which is currently offline. The following intrusion prevention signature (IPS) will be released later today for CVE-2013-0634, which is known to be actively delivered through malicious Flash (SWF) content hosted on websites:
We are currently investigating further protections for this zero-day and will provide an update to this blog when possible. As always, Symantec advises users to ensure that operating systems and software are kept up to date and to avoid clicking on suspicious links and opening suspicious email attachments.
After further analysis we have confirmed that the exploit refered to in this blog is CVE-2013-0634 and not CVE-2013-0633 as originally stated.
The following detections for this threat have been added:
- Bloodhound.Flash.19 is a heuristic detection for files attempting to exploit the Adobe Flash Player Remote Memory Corruption Vulnerability (CVE-2013-0634)
- Bloodhound.Flash.20 is a heuristic detection for files attempting to exploit the Adobe Flash Player Buffer Overflow Vulnerability (CVE-2013-0633).