Exploit:SWF/Blacole.G is a malicious Adobe Shockwave Flash (.SWF) file, distributed as part of the "Blackhole" exploit kit, that exploits a vulnerability described in CVE-2011-2110. Successful exploitation by the malware could result in downloading and executing arbitrary files.

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Exploit:SWF/Blacole.G is a malicious Adobe Shockwave Flash (.SWF) file, distributed as part of the "Blackhole" exploit kit, that exploits a vulnerability described in CVE-2011-2110. Successful exploitation by the malware could result in downloading and executing arbitrary files.

Installation

This malware may be encountered when visiting a web page containing the malicious file. Exploit:SWF/Blacole.G has been observed to be distributed as files named "field.swf" and "score.swf".

Payload

Downloads arbitrary files
Exploit:SWF/Blacole.G  exploits a vulnerability described in CVE-2011-2110. The malware is loaded by JavaScript that first checks if an older and vulnerable version of Adobe Shockwave Player is installed, such as the following:

• version 10.0
• version 10.1
• versions 10.2.0 to 10.2.158

If the exploitation is successful, additional malware will be downloaded from a hyperlink that is XOR encrypted inside the body of the JavaScript code.

Exploit:SWF/Blacole.G may also download malware as a file named "wpbt0.dll", which is then installed by executing the following instruction:

regsvr32 -s wpbt0.dll

Analysis by Horea Coroiu