Monday, March 5, 2012

Flash in Doc CVE-2012-0754 detection added to Cryptam

We've added to support to our Cryptam document analysis system detect the embedded flash in Office document exploit CVE-2012-0754, which is a recently patched with a new Flash Player update, yet increasingly used in attacks since at least Feb 27.

Cryptam will detect compressed Flash (CWS) files, decompress them and search for signatures of CVE-2012-0754 as well as conduct a cryptographic analysis to detect XOR encrypted executables as well as ROL encoding to detect new emerging or unknown threats in document format files.

We've noted a small number of samples of CVE-2012-0754 with 2 separate URLs for the remote mp4 file. The embedded executables have used a 1 byte XOR+ROL or just ROL 2 encoded.

View Cryptam Document Analysis System reporting of sample e92a4fc283eb2802ad6d0e24c7fcc857 reported on Contagiodump.

No comments:

Post a Comment