Sunday, January 12, 2014

CVE-2013-5331 evaded AV by using obscure Flash compression ZWS

Update: 2013-01-14 added Yara signature.

We recently came across what is likely the CVE-2013-5331 zero day (Adobe Flash in MS Office .doc) file on virustotal.com (Biglietto Visita.doc, MD5: 2192f9b0209b7e7aa6d32a075e53126d, 0 detections on 2013-11-11, 2/49 on 2013-12-23). The filename is Italian for "visit card" and could be related to MFA targeting in Italy. This exploit was patched 2013-12-10, and was in the wild for at least a full month.



While it appears to be the only CVE-2013-5331 sample on Virustotal we could find, it's also interesting that the Flash exploit payload is a very unusual ZWS compression header (the compression algorithm uses LZMA as in Lempel–Ziv–Markov chain algorithm and which is also used in 7zip). Flash CWS headers for Gzip compression is the most commonly used, and we are not aware of Flash content creation tools outputting ZWS Flash. This compression method ZWS combined with embedding within MSOffice documents is very likely to evade most AV products.

From our Cryptam Database Related files with similar metadata:
5da6a1d46641044b782d5c169ccb8fbf 2013-06-28 CVE-2012-5054 7/46 2013-07-07
8d70043395a2d0e87096c67e0d68f931 2013-06-28 CVE-2013-0633 6/46 2013 07-18

Yara Rule for ZWS Flash embedded in MSOffice:
rule doc_zws_flash {
    meta:
    ref ="2192f9b0209b7e7aa6d32a075e53126d"
    author = "MalwareTracker.com"
    date = "2013-01-11"

    strings:
        $header = {66 55 66 55 ?? ?? ?? 00 5A 57 53}
        $control = "CONTROL ShockwaveFlash.ShockwaveFlash"
      
    condition:
        all of them
}

No comments:

Post a Comment