The Latest in IT Security

Exploits for CVE-2011-2110 focus on South Korea


Last week, Adobe released an update (APSB11-18) for Adobe Flash Player, fixing a memory corruption vulnerability (CVE-2011-2110) that would allow attackers to take control of the targeted system. In the Advisory, Adobe mentioned reports of active exploitation. We have been tracking the use of this exploit through our signatures (originally as Exploit:SWF/ShellCode.A, and then later as Exploit:SWF/CVE-2011-2110.A) released to Microsoft Security Essentials and Forefront customers for a number of days now and saw significant increases in exploit activity over the weekend. An interesting facet of the use of this exploit is that most of the targets are in South Korea. We saw a peak of activity on Sunday, with this exploit attempt being reported by 17,813 computers, 14,890 of them in South Korea.

CVE-2011-2110 chart
We’ve seen a focus on Korea in the early history of other 0-day exploits and attack techniques:

  • CVE-2010-3962, which we dubbed the Weekend Warrior for its weekend-based attacks focused on South Korea
  • SWF/Jaswi.A, another exploit method using Flash
  • CVE-2010-3972, an Internet Explorer 0-day
  • CVE-2011-0611, another Flash 0-day hit South Korea with over 5,000 attack attempts the day after the update was released on April 15

Seeing South Korea show up in these types of attacks is starting to become commonplace.

The attacks on CVE-2011-2110 have been using a fairly standard pattern. Most of them are some variation of this exploit in a file called main.swf. Even the SHA1s are fairly consistent. Here are our top hits, which represent about 96% of all of the exploit attempts we’ve seen:

SHA1 of Attack Attempts:
77A5EA9473E48771FD1F2931D00575159A902AE0 – 24%
5D05BF2E9AB3905240DD6A3B0009CEFAEC134058 – 20%
33DB18D2E74792F2AD9F4CD817D772C9BC73C86C – 16%
EB08317AF86F44C3C3BE159E63321B2CDC9E9E6F – 12%
44E46CF75360090C9A78164880A7BF392E00CC89 – 8%
989646B68323DAAFF95966B7DF982E54F8EF203F – 6%
46E9CE2092EFD73B557C081A9C5DADFE1434E090 – 6%
EB1A594D178B8BCBC873087F784E715CE9BA6121 – 3%

In any case, stay safe, employ endpoint protection, and apply the update if you haven’t already!

-Holly Stewart, MMPC

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments