Flash - you've been botted

There are times when I disagree strongly with Steve Jobs, and times when I think he may just have a point. The point in question being his dislike of Adobe's Flash. Flash, and Adobe Reader, are in the news again because of yet another security hole that's being actively exploited by the bad guys while Adobe can only promise to fix its code sometime the week after next.

The good news here for ThreatSTOP subscribers is that the vulnerability was discovered in part by someone from one of our partners - Shadowserver - and hence ThreatSTOP subscribers will be automatically protected against calls home made by malware that uses this particular attack vector to get installed. This is because the IP addresses that it calls home to will be in the ThreatSTOP lists applied to our subscribers' firewalls. Typically it takes between 2-4 hours for a newly identified bad IP address to make its way from one of our security partners data feeds into our list and then onto the firewalls protected by ThreatSTOP and this process is automated so that it happens at the same speed no matter when the IP address is added to one of our feeds.

Furthermore because of the way this 0day is being spread - malicious flash in ads and the like - it is likely that the malware laden flash will either be sourced on a server already in our "droppers" list or that the flash will attempt to download the full malware package from one of these servers. Thus, even if this malware had not been found by one of our partners, we would still be able to block it.

As one of our other partners - The SANS Internet Storm Center - notes on its alert regarding this attack, this 0-day attack shows up the weakness in traditional malware detection systems:

Keep an eye out for this one folks. It will take a bit for the anti-virus, IDS/IPS and other vendors to catch up and detect the malware that exploits the vulnerability. Although by that point the box affected may well be compromised as most detect after the exploit has already taken place. Since the vendor has released the advisory after being notified that exploits are already occurring against Windows boxes it is recommended to explore workarounds for mitigation, detection of already compromised hosts, and cleanup.

ThreatSTOP, by blocking all traffic to and from the known bad IP addresses, addresses this exact problem. It stops this malware from spreading into our subscribers' networks and means that our subscribers need be less concerned about "mediation, detection of already compromised hosts, and cleanup."

Share this: