Angler/Flash 0-day FAQ
Version 1.1 - Friday, January 23 15:45PST
This document will be updated and maintained as new or updated information becomes available. Continue to check this page for updates.
What is Angler?
The Angler Exploit Kit (EK) is a toolkit used by malware authors and cybercriminals to deliver other pieces of malware. Typically these exploit kits are used in compromised websites that victims are guided to through links and phishing emails in order to infect victims.
What has happened?
Noted malware researcher Kafeine spotted an instance in the wild of Angler EK which was leveraging three vulnerabilities in Adobe's ubiquitous Flash Player software. Two of the vulnerabilities are known, but the third exploit was not previously seen.
In this case, due to the large install base of Adobe Flash Player, it may be possible for an attacker to target not only the expected Windows machines, but Mac OS X and Linux as well. As of this writing, FortiGuard Labs has not detected any attempts to infect non-Windows machines.
Should I be worried? What should I do?
If you are among the millions of Flash users out there, it is of critical importance to patch your installation of Flash Player. While the patch deployed by Adobe today does not appear to mitigate all the vulnerabilities seen in the wild, it does stop most of them. Adobe's update for both Windows and Mac OS X is version 220.127.116.117 and version 18.104.22.1688 on Linux distros. To check your current version of Flash, you can click this link. If you are unable to update immediately, it is recommended you disable Flash Player entirely until Adobe deploys another update to address the third vulnerability.
What can I do as a FortiGate user?
FortiGuard Labs deployed AV signature update package 23.675 which contains detection for the 0-day exploit. We are now detecting it as
SWF/SwfExp.FC!exploit. If you do not have automatic AV updates enabled on your FortiGate, please obtain the latest package as soon as possible and deploy to your FortiGate. If you are using FortiManager to deploy packages to multiple FortiGate devices, you are encouraged to deploy this AV package as soon as possible.
The IPS team within FortiGuard is currently developing a signature to detect the new version of Angler EK that contains this 0-day. Development, testing and QA is on an accelerated schedule and will deploy via an IPS update package as soon as possible. IPS signatures can often require significant tweaking and tuning to prevent false positives, so we can not provide a firm release ETA as of yet.
In the interim, for customers who wish to deploy a customized IPS solution to detect and block this latest version of Angler EK, FortiGuard Labs is providing the following solution. It is important to note that this is a beta signature, and may lead to false positives. We encourage those interested to take the time to determine if the need to detect and block Angler EK via IPS is greater than waiting for a deployed signature via FDN.
With that in mind, if you wish to deploy a custom IPS signature, here is what you should deploy:
1. Create the following custom signature first and set to "Monitor". This signature is used for tracking purposes in coordination with the second signature below:
F-SBID( --name "Angler.EK.Jan2015.Custom.Tag.Set"; --protocol tcp; --service HTTP; --flow from_server; --pattern "!DOCTYPE html PUBLIC |22|-//W3C//DTD XHTML 1.0 Strict//EN|22|"; --context body; --within 57, context; --pattern "<html lang=|22|"; --context body; --within 130; --tag set,ExploitKit.AnglerEK; )
2. Create and add this second signature and set to "Block". This will block the exploit kit's landing page:
F-SBID( --name "Angler.EK.Jan2015.Custom.Tag.Test"; --protocol tcp; --service HTTP; --flow from_server; --pattern "/|5c|s/g"; --context body; --pattern ".replace"; --context body; --within 150; --pattern "/|5c 5c|r|5c 5c|n/g"; --context body; --within 50; --tag test,ExploitKit.AnglerEK; )
UPDATE (Friday, Jan 23):
FortiGuard Labs has deployed IPS signature package v5.601 today which addresses this threat (as well as others). For full details, you can refer to this link. For more information on the threat itself, this link is available which provides further information. FortiGuard Labs recommends you update your devices to IPS package v5.601 as soon as possible and ensure your IPS is set to detect and block this threat.
FortiGuard Labs is continuing to monitor developments on this and will provide more information if and when needed.