Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Followup to Flash/swf stories - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Followup to Flash/swf stories

We've received quite a bit of mail about our stories yesterday about the malicious SWF files attempting to exploit older versions of the Adobe Flash player.  So, here are a few of the things that have come out of our discussions.

  1. Our friends over at (thanx, Steven) have a nice writeup that includes a bunch of domains they've noted that have the malicious SWF files.
  2. If you aren't sure which version of the flash player you are using, Adobe provides this page where you can check for yourself.
  3. On closer examination, this does not appear to be a "0-day exploit".  Symantec has updated their threatcon info, as well.
  4. It appears that this exploit may be included in the Chinese version of the MPack exploit toolkit (among others).
  5. In case we weren't clear about it earlier, it appears that the infected web sites check which browser you are using in addition to the flash player version to determine which exploit to deliver.

There are several ways to protect yourself even if you have a vulnerable version of the Flash player.

  • In Firefox, you can use either of the following add-ons, NoScript (one of our favorites, found here or here) or FlashBlock (here or here).
  • In IE, see here for how to set the "killbit", the CLSID is BD96C556-65A3-11D0-983A-00C04FC29E36.
I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022


423 Posts
ISC Handler
May 28th 2008
The CLASSID cited here isn't for any version of Flash, it's for the very-popular-with-the-bad-guys RDS.DataControl BD96C556-65A3-11D0-983A-00C04FC29E36 (MS06-014). Symantec is recommending setting the killbit for {d27cdb6e-ae6d-11cf-96b8-444553540000} ... is there a classid for just the known-vulnerable version of Flash?

Sign Up for Free or Log In to start participating in the conversation!