Nytro Posted January 13, 2014 Report Posted January 13, 2014 [h=3]CVE-2013-5331 evaded AV by using obscure Flash compression ZWS[/h] We recently came across what is likely the CVE-2013-5331 zero day (Adobe Flash in MS Office .doc) file on virustotal.com (Biglietto Visita.doc, MD5: 2192f9b0209b7e7aa6d32a075e53126d, 0 detections on 2013-11-11, 2/49 on 2013-12-23). The filename is Italian for "visit card" and could be related to MFA targeting in Italy. This exploit was patched 2013-12-10, and was in the wild for at least a full month. While it appears to be the only CVE-2013-5331 sample on Virustotal we could find, it's also interesting that the Flash exploit payload is a very unusual ZWS compression (LZMA as in Lempel–Ziv–Markov chain algorithm and originally used in 7zip). CWS or Gzip compression is the most commonly used. This compression method ZWS combined with embedding within MSOffice documents is very likely to evade most AV products.From our Cryptam Database Related files with similar metadata:5da6a1d46641044b782d5c169ccb8fbf 2013-06-28 CVE-2012-5054 7/46 2013-07-078d70043395a2d0e87096c67e0d68f931 2013-06-28 CVE-2013-0633 6/46 2013 07-18 Posted by DT at 2:42 AM Sursa: malware tracker blog: CVE-2013-5331 evaded AV by using obscure Flash compression ZWS Quote
