When this master exploit encounters one of these twelve combinations [of platform and Windows version number], it will unpack the string by interpreting it as a hex-encoded byte sequence, and then reload this code as a Flash file via loader.loadBytes(). I don't believe it: A Flash file which is decoded dynamically and then loaded proceeds to load another dynamically created Flash file from a repertoire of twelve strings. But it's true. When I copy the first string into my hex editor, I can clearly detect the structure of a, this time uncompressed, Flash file.
That's what I call professional! The various versions of the Flash environment differ to such a degree that exploits which rely on specific addresses only cause the Player to crash, which doesn't serve the attackers. Therefore, they either have to write very generic shell code – which is quite difficult, or they arm themselves with an arsenal of very specific exploits and then choose the one that fits the respective Flash Player. Quite obviously, our little criminal has chosen the easier way and is carrying a whole arsenal of weapons.
This is a very clever exploit. And I seem to find myself saying that altogether too frequently of late.
The first generation of malware was one-off exploits, frequentyly fairly simple, put together usually by single individuals who launched them themselves for the notoriety, for extortion, or just to see what they could wreck. The second generation was the polymorphic virus development toolkits that let basically any black-hat wanna-be build a virus with a handy point-and-drool interface, and fast-spreading blitz worms like Code Red. And the third generation...
Well, the third is sophisticated, professionally-crafted attacks like this, like Stuxnet, like Conficker.
The world has changed. Again. And not for the better.