CVE-2012-1535: Adobe Flash being exploited in the wild

August 15, 2012  |  Jaime Blasco

Yesterday Adobe issued a security update to address CVE-2012-1535 that was being exploited in the wild.

The sample that we analyzed is a Microsoft Office Word document with an embedded malicious Flash file.

The name of the malicious doc file is iPhone 5 Battery.doc, md5: 7e3770351aed43fd6c5cab8e06dc0300

The doc file contains an uncompressed flash file at offset 13832. The file contains the code to do the heap spraying.

The shellcode uses a XOR loader to decrypt and execute the embedded payload encrypted using a 256-byte XOR key within the DOC file.

We can easily extract the payload using our findexec.py script.

$python findexec.py  “iPhone 5 Battery.doc” OFFICE

Analyzing Office file

One Byte distributionAverage 1166

Detected possible cyphered data on position 67584 of length 135168

Best Val num ocurrences 256

Guessed key length 256

Calculating calculateOccurencesBySize



Key found c4c5c6c7d8d9dadbdcdddedfd0d1d2d3d4d5d6d728292a2b2c2d2e2f202122232425262738393a3b3c3d3e3f3031







Found executable at offset 3264

File saved on 1345068027.exe

Found executable at offset 27936

File saved on 1345068028.exe

Once the document is open and the vulnerability is exploited, the shellcode opens a benign doc file with the following content:

Once the payload is executed, the following dll is dropped on the system:

C:Documents and SettingsAdministratorApplication Data askman.dll

md5: fe7e03f7f62f2d65c5b8e233300a373c

And executed using rundll32:

rundll32.exe C:Documents and SettingsAdministratorApplication Data askman.dll start

This backdoor is know as c0d0so0 and also Backdoor.Briba and it has been seen in other targeted attacks exploiting  CVE-2012-0779 among others during the past few months.

The backdoor contacts the remote sever publicnews.mooo.com using a HTTP POST request:

It also tries to download the following file:

publicnews.mooo.com points to:

unassigned.psychz.net ( -

Psychz Networks PSYCHZ-NETWORKS (NET-108-171-240-0-1) -

The server is not responding anymore but based on the VirusTotal report it seems the logo.gif is a zip file that contains an executable that is dropped on the system:

C:Documents and Settings<USER>Application DataTASKMAN_16vtn.exe

The executable drops another DLL that is called using rundll32:

C:WINDOWSsystem32cmd.exe C:WINDOWSsystem32cmd.exe” /c rundll32.exe “C:Documents and SettingsAll UsersApplication DataXpsFilter.dll” (successful)

That process performs HTTP POST requests to the following url:

hxxp://publicupdate[.]mooo[.]com / index000000001.asp

That resolves to:

n122z183l230.bb122100.ctm.net ( -


Anita Che


P.O.Box 868

+853 891-3880

+853 891-3111


Rua de Lagos, Telecentro

P.O. Box 868



The use of Dynamic DNS providers like DynDNS.org , 3322.net.. is very common in this kind of threats. You should be monitoring the requests to dynamic dns providers in your network, you can use the following snort rule to detect hosts contacting mooo.com subdomains:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:“ET INFO DYNAMIC_DNS Query to mooo.com Domain *.mooo.com”; content:”|01 00 00 01 00 00 00 00 00 00|”; depth:10; offset:2; content:”|04|mooo|03|com|00|”; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:1111111113; rev:6;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“INFO DYNAMIC_DNS HTTP Request to a *.mooo.com Domain”; flow:established,to_server; content:”.mooo.com|0D 0A|”; http_header; classtype:bad-unknown; sid:1111111112; rev:3;)

The following rule is also useful to detect the presence of Backdoor.Briba:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“TROJAN Backdoor.Briba Checkin”; flow:to_server,established; content:“POST”; nocase; http_method; content:“loginmid=”; http_client_body; content:“nickid=”; http_client_body; classtype:trojan-activity; sid:1111111114; rev:1;)

And of course, remember to patch your systems!


We have found another sample of  Backdoor.Briba related with the same campaign. This sample connects to the C&C publicdocs.mooo.com. In this case the server is running. The sample downloads the file hxxp://publicdocs[.]mooo[.]com / docs / help.gif

The file contains a GIF header followed by a password protected zip file. It is easy to extract the password from the original sample (password123).

It drops and executes XpsFilter.dll that we previously mentioned. This file has a low Antivirus detection rate:


Share this with others

Featured resources



2024 Futures Report

Get price Free trial