Flash in the Formula!

Well the malware authors have discovered yet another vehicle for delivering and triggering their dual-actioned Adobe Flash vulnerability (which I talked about at a recent conference), this time in Microsoft Excel (expect to see them in PowerPoint and Word as well!)

The style of attack was recently outlined by Pob here, where a PDF document with two specifically crafted Flash objects work together to exploit the vulnerability. It was only a matter of time before the AVs caught up and started blocking suspicious PDFs and so the game has moved onto finding other compound files capable of embedding and invoking Flash objects. Microsofts OLE2 compound document format is well suited to this scenario and is being actively exploited as the sample submissions indicate.

The submitted sample (detected as Troj/xDrop-A) already raises suspicion by being some 215k in size yet when opened in Excel appearing somewhat empty…

Empty that is until I select all, revealing two objects hidden away in cell U1! This is confirmed by examining the Excel sheet in another tool which clearly shows an embedded Flash (SWF).

The two embedded Flash objects are detected as Troj/SWFExp-M and Troj/SWFExp-N and are of the same nature as used in the PDF of recent past (the majority of malware authors seldom create new exploits or shellcode, they simply mix-and-match existing work done by some clever security researcher.)

What does this mean for the end user? Keep patched (operating system as well as applications) and do not accept or open attachments from untrusted/unknown sources.

This vulnerability has recently been fixed by Adobe with a patch (APSB09-10) being available from their website.

As always SophosLabs endeavors to provide customers with proactive detection via identities and product features (HIPs and BOPs).