Another Desktop Exploit – Silverlight Problem

Checkpoint has the scoop:

http://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf

Silverlight exploits may be less common, but unfortunately this particular exploit obfuscates itself and can infect the desktop that has loaded Silverlight.

Background to Silverlight:

The Silverlight framework enables the development of web applications with features similar to those of Adobe flash and Java Applets.
The Silverlight runtime environment is available for Windows and Mac OS x as a browser plugin.”

i.e. Silverlight was Microsoft’s competitive answer to Adobe and Java Flash (moving images using programmatic methods)

 

So the exploit background summary listed in report(from cvedetails) is also interesting from 2010 to 2014:

Vulnerabilities in Silverlight 15

Adobe Acrobat Reader 268

Adobe Flash Player 321

Microsoft Internet Explorer 392

Java 358

 

It only takes one exploit well done to infect hundreds of thousands of computers around the world, and this is in the  desktop environment so it means the Anti-virus software must also miss it.

 

So the Checkpoint authors (Omri Herscovici & Liran Englender) point out that this particular exploit was obfuscated by encrypting part of its code and command instructions. Which of course make it much more difficult for the AV software companies to trap and remove this exploit.

 

the technical report is useful in learning  something about the shellcode execution:

infinity-exploitkit

 

This is an interesting sentence of the analysis: “The shellcode then downloads the payload into Internet Explorer temp folder.
The payload comes with an “mp3” extension, which is used to evade IPS, IDS and traffic policy.”

So not only are they trying to evade Anti-virus, but IDS and IPS policies by using a .mp3 file extension.

I wanted to post this analysis to show that the war of anti-virus and IPS defenses are in constant ebb and flow, but as usual the attacker has the advantage.

Remember that it took several weeks to review this exploitkit, and then create definition files and IPS policies. In hte meantime the code could have been implemented in thousands if not millions of computers.

This is why the attackers will always have the advantage and why we have to get much better before we can turn the tide.

As you may guess this is only one example of a “new” attack in the sea of malware coming in)

 

Do the best you can – Use the principle of Philotimo to guide you –

Youtube video (regarding ΦΙΛΟΤΙΜΟ)

http://youtu.be/DaPF4_-gH4g

 

Contact Us to get an independent audit/test completed of your environment.

 

About Us: http://www.fixvirus.com/about-us/

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.