Checkpoint has the scoop:
http://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf
Silverlight exploits may be less common, but unfortunately this particular exploit obfuscates itself and can infect the desktop that has loaded Silverlight.
Background to Silverlight:
“The Silverlight framework enables the development of web applications with features similar to those of Adobe flash and Java Applets.
The Silverlight runtime environment is available for Windows and Mac OS x as a browser plugin.”
i.e. Silverlight was Microsoft’s competitive answer to Adobe and Java Flash (moving images using programmatic methods)
So the exploit background summary listed in report(from cvedetails) is also interesting from 2010 to 2014:
Vulnerabilities in Silverlight 15
Adobe Acrobat Reader 268
Adobe Flash Player 321
Microsoft Internet Explorer 392
Java 358
It only takes one exploit well done to infect hundreds of thousands of computers around the world, and this is in the desktop environment so it means the Anti-virus software must also miss it.
So the Checkpoint authors (Omri Herscovici & Liran Englender) point out that this particular exploit was obfuscated by encrypting part of its code and command instructions. Which of course make it much more difficult for the AV software companies to trap and remove this exploit.
the technical report is useful in learning something about the shellcode execution:
This is an interesting sentence of the analysis: “The shellcode then downloads the payload into Internet Explorer temp folder.
The payload comes with an “mp3” extension, which is used to evade IPS, IDS and traffic policy.”
So not only are they trying to evade Anti-virus, but IDS and IPS policies by using a .mp3 file extension.
I wanted to post this analysis to show that the war of anti-virus and IPS defenses are in constant ebb and flow, but as usual the attacker has the advantage.
Remember that it took several weeks to review this exploitkit, and then create definition files and IPS policies. In hte meantime the code could have been implemented in thousands if not millions of computers.
This is why the attackers will always have the advantage and why we have to get much better before we can turn the tide.
As you may guess this is only one example of a “new” attack in the sea of malware coming in)
Do the best you can – Use the principle of Philotimo to guide you –
Youtube video (regarding ΦΙΛΟΤΙΜΟ)
Contact Us to get an independent audit/test completed of your environment.
About Us: http://www.fixvirus.com/about-us/