In recent days, the vulnerability of flash(CVE-2010-1297) has been used for drive-by download. Therefore, many websites are injected by malicious links such as (hxxp://2677.in/yahoo.js), and those comprised webistes are intruded by automatic mass injection tools.
TOMTOM WebSite is injected by Malicious link
In most cases, hackers are faster than vendors, so it gives them a great opportunity to build a strong BotNet and be able to control more victims. 
The following flow chart shows the attacking path of Zero-Day.
閱讀全文…
After analyzing the PDF sample (which is still exploited in the wild),we extract the embedded flash file called "pad.swf",This file seems modified from the website http://lostinactionscript.googlecode.com/svn/trunk/bin/AES-PHP.swf.
If we compare these two files deeply(shown as below),
Orginal AES-PHP.swf (0×66)
Exploit pad.swf(0×40)
It is surprised that there is just 1 byte changed. It causes flash ActionScript to execute a newfunction() and disturb the internal ActionScript engine stack .
Here is a problem in the JIT-ed AS code:
閱讀全文…
The new IE zero-day attacking is immediately used in targeted attacks.In the past few days, we have captured a number of samples derived from the version published on rec-sec website.
As you can see, the exploit uses a common heap spary method to build a memory that contains the shellcode. When the shellcode gets executed, a malware wll be downloaded from a compromised website.
The detailed analysis about this malware can be seen from our system.
閱讀全文…
Recently, we also found very frequent, targeted attacks, making use of the patched (not complete ) TIFF vulnerability (CVE-2010-0188). 
What is interesting is that these exploits insert the javascript as well as crafted TIFF(exploit.tif) into XML Form, and generate malicious PDF by Adobe livecycle ES. The javascript is embedded within the form, and there is not detected by AV.
The track of malicious PDF left by the hacker can be found, and it is likely that the hacker is "Yuange" (袁哥 in Chinese) and "panlab
(exploits lab ? If it is really, I also want to join too.. 
". However, in new version of exploit, we can’t find the string of Yuange.
As we know more features; more bugs. It is my belief that PDF Exploit will be increasing significantly and be used widely on targeted attacks.
Adobe Reader has been recently updated to version 9.3.1, fixing a vulnerability for LibTiff "TIFFReadDirectory" function.
This vulnerability originated from CVE-2006-3459 was reported by Tavis Ormandy, Google Security Team. Adobe just fixed AcroForm.api file ,but ImageConversion.api still have a vulnerability too.
When program load or insert a crafted TIFF image file,the stack of return-addr and SEH can be overflowed by bad fetching data operation.
閱讀全文…
http://www.fortiguard.com/analysis/pdfanalysis.html
This exploit use heapspray to fill memory at 0x0d0d0d0d.
When you look at 0x301DDDA0,you will see the program will fall into the "sandwich" that contains many pices of shellcode.
301DDD99 8BF3 mov esi, ebx
301DDD9B 8B06 mov eax, [esi]
301DDD9D 57 push edi
301DDD9E 8BCE mov ecx, esi
301DDDA0 FF50 48 call [eax+48]
301DDDA3 84C0 test al, al
301DDDA5 75 1B jnz short 301DDDC2
301DDDA7 8B76 14 mov esi, [esi+14]
301DDDAA 85F6 test esi, esi
301DDDAC 75 ED jnz short 301DDD9B
In fact, this kind of exploit is widely used to targeted attack.
隨著科技不斷進步,網路提高了人們通訊的效率與社會的便利,但也直接改變了民眾的日常生活,例如:手機無線上網、全民瘋Facebook開心農場、Plurk、Twitter微型網誌的出現等;現今的網路發展就像是一個沒有煞車系統的汽車,本身安全性的欠缺,如又遇到不良駕駛,當然會衍生許多資訊安全與犯罪問題,例如:個資外洩、網路詐騙、網路洗錢,駭客入侵等資安事件。
近年最夯的資安話題之一「資料外洩問題」,到了此時仍無法獲得有效控制,至今不管是國內或國外、政府或民間單位,幾乎每個月仍有不少資料外洩之新聞報導;另由於駭客攻擊手法之轉型,例如:由本機(Client)入侵轉變為攻佔網站(Web)、由病毒感染(Virus)轉變為間諜程式植入(Spyware)、由執行檔(EXE)改以各種文件(DOC、PDF、SWF)夾帶惡意程式等手法進入使用者電腦,如果人們使用電腦之安全習慣沒有改變(業務家辦、開啟來路不明信件、連結等),而在現有掃描與偵測技術無法有效的阻擋此類攻擊下,許多公司企業資料外洩的情況還是會陸續上演,雖目前電腦處裡個人資料保護法未規範八大行業以外之機關,然如因未妥善保管民眾之個人資料而外洩,除造成客戶觀感不佳外,所流出的資料亦是難以收回。
