Websense.com / Security Labs / Blogs / Malcrafted SWF Threat in the Wild

Archived Blog

Malcrafted SWF Threat in the Wild

03.10.2009 - 4:40 PM

Websense Security Labs has seen a new SWF threat thriving in the wild recently. SWF files have become increasingly popular in the 'net world. A great many Web sites use SWF files to show wonderful content to customers. Because SWF files can do a lot, they leave openings for the bad guys. Recently, we have noticed a trend showing the bad guys using SWF files to redirect users. What's amazing to us is that traditional antivirus software is showing zero detection of this problem.

Usually, these SWF files are very tiny--typically only 142 bytes--and have a very common name: ie.swf. We parsed the file with our own SWF tool, FlashDetection, and got all the tag information (shown in figure 1). It contains just five tags: FileAttributes, SetBackgroundColor, DoAction, ShowFrame, and one unknown tag. When Adobe Flash Player comes across an unknown tag, it ignores it, and continues the parsing process. FileAttributes, SetBackgroundColor, and ShowFrame are common tags, so we'll focus on DoAction, which stores the actionscript2 instructions.

Figure 1: The Tag Information

First, we used flare to decompile the actionscript. Unfortunately, flare crashed. Then we dumped the binary code to find the reason (see figure 2). Following Adobe's documentation, we read the binary. The first actionscript instruction is ActionJump(0x99), and the jump offset is 0x2C. At the target offset, which is followed by a ActionConstantPool(0x88), the parameter is a string: flashccVersion /:$version i.SWF _root. The next instruction is also ActionJump, jumping to offset 0xFFA9. A negative value means that the code will jump back. It jumps back to execute ActionPush(0x96). So the hex byte 63 02 00 00 00 will never be executed. It is meaningless opcode for Adobe Flash Player. When decompile tools like flare attempt to parse the meaningless opcode, they crash. This looks like the anti-decompilation code in PE files. We guess that the tiny SWF sample was made manually.

Figure 2: The Content of DoAction Tag

The instructions that follow are some stack operations and an ActionGetUrl2, which makes the SWF file execute another SWF file at the same base URL. The newly accessed SWF file uses the CVE-2007-0071 vulnerability to download and execute malware--that's old news.

The malware downloaded by the second SWF file is a downloader that downloads more malicious executable files from a list (see figure 3).

Figure 3: Download Malicious File

We strongly recommend that customers update Adobe Flash Player to the latest version to guard against this threat. Websense Security Labs will continue to do more research to protect customers against SWF file threats.

Security Researcher: Ulysses Wang

Bookmark This Post: