Malware News: CVE-2016-1019 Zero-Day Flash Exploit: Malware Is as Malware Does

Malware News: CVE-2016-1019 Zero-Day Flash Exploit: Malware Is as Malware Does

(With thanks to Lastline Director of Sales Engineering Dan Mathews for the heavy lifting.)

Within the last couple of weeks, the blogosphere has reported on a new Magnitude Exploit Kit campaign, which was recently confirmed as leveraging a zero-day Flash exploit. Adobe Flash Player and earlier is vulnerable; the flaw allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, and has been observed to deliver Cryptowall 3.0 ransomware. While an earlier patch mitigated the behavior somewhat, Adobe was forced to release an emergency patch.

There’s a good behavioral analysis of the vulnerability and attack chain here, thanks to the folks at Proofpoint. Unlike many of our other malware posts, where we show the Lastline Labs analysis of attacks, that’s not what’s on my mind here. Instead, let’s talk about why you deploy an advanced malware protection solution. I’ll give you a hint: the answer is in the previous sentence. Protection.

Lastline customers can be assured that they have been protected from the very first observation of the zero-day, though we had never seen the code before. Detonation of samples in Lastline’s sandbox produced the result one would hope: it showed characteristic behaviors of malware, so it was scored as highly malicious. (In fact, five different samples were all scored as 100 out of 100.)

Here are links to the five samples we tested, and the details of the analysis tasks:


Each of the sample summaries is similar to the following:

What is most significant here is that Lastline does not yet have a exploit signature match for this newly published CVE.  In spite of the fact that we did not have explicit detection of the Flash 0-Day, Lastline is able to detect other behaviors which are required to successfully deliver the exploit and gain a foothold on the system.

Pivoting to the detailed analysis report, we can see a few of these detected behaviors:

Detailed Analysis task link here.


Within the Function Call Graph” area, we click the “Expand All” button:
Now we can review the detailed evidence shown within the analysis overview section from the picture above:
Low severity application behaviors:

Higher Severity application behaviors discovered from Static analysis of program memory:
The Flash vulnerability and the code used to exploit it are new and novel. But the underlying behaviors used to get into the system and to persist in it are far from novel – they are common techniques, enabling Lastline to detect, through a combination of static and dynamic analysis techniques that are uniquely delivered in our Deep Content Inspection™ technology.
If it walks like malware, and talks like malware… even if we haven’t seen it before, we know it’s malware.