CbEvtSvc.exe Is Not Flash

We are researching a couple of highly prevalent pieces of malware, and may be drawing some links between the two.

Thousands of websites have been compromised and are spreading phony “get_flash_update.exe” files via a “showvideo.html” page titled “Watch Free Movie”. But you won’t be watching “Out of Africa” once this malware gets dropped on your system. This executable provides months old malicious functionality when, instead of updating flash, it drops “CbEvtSvc.exe” to the system directory and runs this trojan from there. Exploit pages that we’ve examined also deliver files with static names like “wXtwRzv.exe” and the slightly more camouflaged “C:/Documents and Settings/All Users/Start Menu/Programs/Startup/smss.exe”.

Here is a list of google results for a search on showvideo.html. You’ll see over one thousand hits (a german news agency reports 20,000 customers at one ISP effected). The compromised sites that we have evaluated in the lab appear to mostly be located in Europe, but they are scattered. They maintain the same executables, images, html and javascript exploit pages. DO NOT VISIT THESE LINKS. They will redirect to a 1.html exploit page containing multiple canned exploits that we are analyzing:

Clicking on one of these links takes the user to malicious sites presenting a page with an apparently persuasive social engineering scheme, enticing the user to run a flash update with a blank video mockup. A popup appears with “Flash player: Incorrect version”:

When the user attempts to close the dialog box in front of them, the page takes another stab at prompting the user to run the install (statistics probably are in the bad guys favor here):

This sort of blended threat attack is somewhat like the Storm sites of last year, where the administrators of the malicious content attempt to con the user into manually running the malware if their drive-by exploits from 1.html fail in the browser background. The themes varied a bit more and were more creative than this one. So far, we’ve seen the following vulnerabilities targeted by canned exploits on these sites:
Old reliable MS06-014 MDAC Vulnerability (nothing new here)
The fresh new Microsoft Office Snapshot Viewer ActiveX control race condition
The one year old Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
A one year old stack overflow in GomManager
The recent RealPlayer.Console heap vulnerability
The 2006 ancient WebViewFolderIcon.setSlice integer overflow vulnerability. Thanks HD, the gift keeps on giving.
The exploit page utilizes reliable heap spray techniques to deliver its standard download and exec shellcode for the overflow attempts.

We will continue to research this one and provide more details here. The interest here is mostly in the large scale effort to spread this months old malware and serve it up on newly compromised sites under a somewhat different name. The spam is mostly the same, as it has been spread as video.exe, video.avi.exe, and others.
Our hunch is that a IM worm or spammed link over the past several days was dropping an ftp password stealer that in turn collected the passwords to upload these “showvideo.html” pages and other content alongside the usual content to these legitimate sites. The sites continue to serve up legitimate pages as well. There were CuteFtp and other stealers, distributed in prevalence, with random names starting “wins.exe” over the past several days. The first of the suspected stealer family started with the name winsbb.exe.

In the meantime, if you need to update your Flash player, only do so at the legitimate Adobe site.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>