Archived Blog

Malicious Flash redirectors

08.21.2008 - 3:00 PM

Most of our blog readers are probably quite familiar with the use of redirectors by malicious groups to automatically redirect a user upon visiting a page. Generally, this is done so that users are presented with a link they are more familiar with, but that has been compromised in some way. For example, they may have added a few, very subtle lines of code that redirect the user to a more malicious Web site, less known to the user, and in many cases more dynamic in both content and location.

Most of the time two types of redirectors are used. iframe redirects and open redirectors.

iframe redirectors

iframe redirectors have been used a great deal over the past few years. Malicious groups will compromise a site and place an iframe html tag onto the page with a source attribute of a malicious Web site. Doing this automatically redirects the user to a location of the malicious attacker's choice.


Figure 1: iframe redirector example

Open redirectors

Even more popular is the use of open redirectors. Open redirectors are generally used for legitimate purposes by ad companies or large corporations to proxy URLs so that they can track where their users are coming from and where they are going. Unfortunately malicious groups can use these open redirectors and place any Web site they choose for the redirection to occur. From the user's standpoint, they might just be looking at the domain name, and not noticing variables in the query string that indicate that this is a redirection script.


Figure 2: open redirector example

Flash redirectors

Even more recently Flash redirection has gained in popularity. Malicious attackers are creating Flash applications, hosting them on free sites, and sending out the links in spam messages to users. The links are generally Flash apps (swf files), which upon being clicked automatically redirect the user. The advantage from the malicious point of view is that the content within these Flash files is harder to read and, much like javascript, can be obfuscated so that it's harder to analyze in real-time.


Figure 3: Example spam using a link to a malicious SWF Flash file

This past week we published a blog on Malicious Viral Facebook spam. That same malicious group was also posting links to Flash files on Facebook walls.


Figure 4: Facebook wall spammed with link to malicious SWF flash file

Analysis of this SWF file with SWFDump indicates that some simple action script was used to basically redirect the user to a Web site that tried to gather personal information.


 Figure 5: swfdump tool in action


Figure 6: swfdump tool run against malicious SWF Flash file

Writing action script to accomplish this is quite simple. The function navigateToURL is used to automatically redirect the user without any warning whatsoever.


Figure 7: Example ActionScript code of Flash redirector that redirects to websense.com domain

In this particular instance the Flash file led to a series of 302 redirects, ending on a fake love compatibility Web site that collected personal information.

 
Figure 8: Resulting Phishing page that users are automatically redirected to upon clicing on malicious Flash redirector

Security Researcher: Stephan Chenette

Bookmark This Post: