In recent days, the vulnerability of flash(CVE-2010-1297) has been used for drive-by download. Therefore, many websites are injected by malicious links such as (hxxp://2677.in/yahoo.js), and those comprised webistes are intruded by automatic mass injection tools.
TOMTOM WebSite is injected by Malicious link
In most cases, hackers are faster than vendors, so it gives them a great opportunity to build a strong BotNet and be able to control more victims. 
The following flow chart shows the attacking path of Zero-Day.
閱讀全文…
After analyzing the PDF sample (which is still exploited in the wild),we extract the embedded flash file called "pad.swf",This file seems modified from the website http://lostinactionscript.googlecode.com/svn/trunk/bin/AES-PHP.swf.
If we compare these two files deeply(shown as below),
Orginal AES-PHP.swf (0×66)
Exploit pad.swf(0×40)
It is surprised that there is just 1 byte changed. It causes flash ActionScript to execute a newfunction() and disturb the internal ActionScript engine stack .
Here is a problem in the JIT-ed AS code:
閱讀全文…
We have noticed a new and powerful PDF exploit ( CVE-2010-0401 ) in the wild,
that leverages CVE-2010-0401 in order to install a Happy Backdoor in fool’s system.
This exploit is more stable, it could bypass ASLR and DEP.
The test environment is Adobe Reader 10.0 in Microsoft Windows XP SP3.
>_<
A great celebration of HIT2010
release CVE-2010-0806 Reliable poc
CFP for HIT2010 is out
http://www.hitcon.org/
WinXP & Vista IE7 reliable poc
6B6DC815 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8]
6B6DC818 8B08 MOV ECX,DWORD PTR DS:[EAX]
6B6DC81A 50 PUSH EAX
6B6DC81B FF51 08 CALL DWORD PTR DS:[ECX+8]//ECX=0x0c0c0c0c
The new IE zero-day attacking is immediately used in targeted attacks.In the past few days, we have captured a number of samples derived from the version published on rec-sec website.
As you can see, the exploit uses a common heap spary method to build a memory that contains the shellcode. When the shellcode gets executed, a malware wll be downloaded from a compromised website.
The detailed analysis about this malware can be seen from our system.
閱讀全文…
Recently, we also found very frequent, targeted attacks, making use of the patched (not complete ) TIFF vulnerability (CVE-2010-0188). 
What is interesting is that these exploits insert the javascript as well as crafted TIFF(exploit.tif) into XML Form, and generate malicious PDF by Adobe livecycle ES. The javascript is embedded within the form, and there is not detected by AV.
The track of malicious PDF left by the hacker can be found, and it is likely that the hacker is "Yuange" (袁哥 in Chinese) and "panlab
(exploits lab ? If it is really, I also want to join too.. 
". However, in new version of exploit, we can’t find the string of Yuange.
As we know more features; more bugs. It is my belief that PDF Exploit will be increasing significantly and be used widely on targeted attacks.
Recently, we have captured many PDF files from Chinese hackers (Exploit CVE-2010-0188), and our private Automatic Malware Analysis System could inspect such exploit files and analyze Malware.
There are two case studies to share you guys:
閱讀全文…
Adobe Reader has been recently updated to version 9.3.1, fixing a vulnerability for LibTiff "TIFFReadDirectory" function.
This vulnerability originated from CVE-2006-3459 was reported by Tavis Ormandy, Google Security Team. Adobe just fixed AcroForm.api file ,but ImageConversion.api still have a vulnerability too.
When program load or insert a crafted TIFF image file,the stack of return-addr and SEH can be overflowed by bad fetching data operation.
閱讀全文…
http://www.avertlabs.com/research/blog/index.php/2010/01/14/more-details-on-operation-aurora/
JavaScript code exploited a zero-day vulnerability in Internet Explorer; Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability. Microsoft has released Security Advisory (979352) for this vulnerability (CVE-2010-0249)
http://extraexploit.blogspot.com/2010/01/iexplorer-0day-cve-2010-0249.html
Microsoft confirms IE zero-day behind Google attack
http://www.networkworld.com/news/2010/011510-microsoft-confirms-ie-zero-day-behind.html
Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://www.fortiguard.com/analysis/pdfanalysis.html
This exploit use heapspray to fill memory at 0x0d0d0d0d.
When you look at 0x301DDDA0,you will see the program will fall into the "sandwich" that contains many pices of shellcode.
301DDD99 8BF3 mov esi, ebx
301DDD9B 8B06 mov eax, [esi]
301DDD9D 57 push edi
301DDD9E 8BCE mov ecx, esi
301DDDA0 FF50 48 call [eax+48]
301DDDA3 84C0 test al, al
301DDDA5 75 1B jnz short 301DDDC2
301DDDA7 8B76 14 mov esi, [esi+14]
301DDDAA 85F6 test esi, esi
301DDDAC 75 ED jnz short 301DDD9B
In fact, this kind of exploit is widely used to targeted attack.
