Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Bloodhound.Exploit.52 (Flash Player 7) detections - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bloodhound.Exploit.52 (Flash Player 7) detections
We received a report of multiple alerts from an enterprise Symantec user, the alerts are Bloodhound.Exploit.52 detections, "a heuristic detection for the Flash Player 7 Improper Memory Access Vulnerability, as described in MPSB05-07.

Samples of the files triggering the detections are not available at the moment.

If you're seeing this or any other related alerts please drop us a note.

UPDATE

The submitter has sent the following information;

"We are using Symantec Corporate Edition 10.0.1.1000 scan engine: 51.2.0.12 we also use rapid release definition files and the version 11/10/2005 rev. 39 and a version from 11/11/2005 unknown revision. The trick is that you have to have flash player 7.0.19 any newer version of flash player does not trigger the Symantec alert. Hope that helps."

We received a second report, similar to the first. Based on the websites reported at this point, they do not involve any domains I'm familiar with that have been known to dish out malware. More to come!

UPDATE Symantec's write-up says "Files that are detected as Bloodhound.Exploit.52 may be malicious. We suggest that you submit to Symantec Security Response any files that are detected as Bloodhound.Exploit.52.".

FINAL UPDATE - We received this information from a contributor who asked for anonymity - "I checked with my Symantec Technical Account Manager regarding Bloodhound.Exploit.52.  They've only had false positive submissions on that heuristic so they've revised it.  The revised heuristic is available in the Rapid Release definitions.  Certified definitions will have the revised heuristic tomorrow."

Thanks for all the reports.

Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!