Exploit in the Wild, Caught Red-Handed

Share on twitter
Share on linkedin
Share on facebook
Share on email

Imagine a futuristic security technology that can stop any exploit at the exact moment of exploitation?regardless of the way the exploit was built, its evasion techniques, or any mutation it might have or was possibly imagined to have. This technology is truly agnostic for any form of attack. An attack prevented with its attacker captured and caught red-handed at the exact point in time of the exploit…Sounds dreamy, no? For the guys at the stealth startup Morphisec?it’s a daily reality. So, I decided to convince the team?in the malware analysis lab to share some of their findings from today, and I have?to brag about it a bit:)

Exploit Analysis

The target software is Adobe Flash and the vulnerability is CVE-2015-0359 (Flash up to Today, the team?got a fresh?sample that was uploaded to Virus Total 21 Hours ago! From the moment we received it from Virus Total, the?scan results showed that no security tool in the market detects it except for McAfee GW Edition?which generally identified its malicious activity.
Screen Shot 2015-04-28 at 5.56.23 PM

The guys at Morphisec love samples like these because they allow them to test their product against what is considered to be a zero-day?or at least an unknown attack. Within an hour, the identification of the CVE/vulnerability exploited by the attack and the method of exploitation was already clear.

Technical Analysis

Morphisec prevents the attack when it starts to look for the Flash Module address (which later would be used to find gadgets). The vulnerability allows the attacker to modify the size of a single array (out of many sequentially allocated arrays ? size 0x3fe).

An array?s size 0x3fe (index [401]) is modified to size 0x40000001 to reflect the entire memory’s size. The first doubleword in this array points to a read-only section inside the Flash Module. The attacker uses this address as a start address for iteration dedicated for an MZ search (indicates the start of the library), each search iteration (MZ) is 64k long (after the read-only pointer that was leaked is aligned to a 64k boundary).

After the attacker finds the MZ, it validates the signatures (NT) of the model, gets the code base pointer and size, and from that point, the attack searches gadgets in the code of the Flash module.

Screen Shot 2015-04-29 at 9.16.19 AM

Screen Shot 2015-04-29 at 9.03.31 AM

Screen Shot 2015-04-29 at 9.04.13 AM

Screen Shot 2015-04-29 at 9.07.39 AM

Morphisec?s technology not only stopped it on the first step of exploitation, it also identified the targeted vulnerability and the method of exploitation as part of its amazing real-time forensic capability. All of this?was done?instantly in memory on the binary level without any decompilation!

I imagine that pretty soon the other security products will add the signature of this sample to their database so it can properly be detected. Nevertheless, the situation remains that each new mutation of the same attack makes the common security arsenal ?blind? to it?which is not very efficient.?Gladly, Morphisec is?changing this reality!?I know that when a?startup is still in stealth mode and there is no public information about such comparisons??it’s a bit ?unfair? to the other technologies on the market, but still? I just had to mention?it:)

P.S. Pretty soon we will start sharing more details about Morphisec?technology?so stay tuned. Follow us via Twitter ?@morphisec?for more updates.
Share on twitter
Share on linkedin
Share on facebook
Share on email

Recent Posts


It?s not hard to understand the concept of proactive cyber defense: acting in anticipation of an attack against a computer or...

What is Cloud Workload Protection?

Cloud usage is increasing rapidly. Analysts forecast growth of 17 percent for the worldwide public cloud services market in 2020 alone. This...