Sunday, March 15, 2009

Malcrafted SWF Threat in the Wild

Via Websense Security Labs -

Websense Security Labs has seen a new SWF threat thriving in the wild recently. SWF files have become increasingly popular in the 'net world. A great many Web sites use SWF files to show wonderful content to customers. Because SWF files can do a lot, they leave openings for the bad guys. Recently, we have noticed a trend showing the bad guys using SWF files to redirect users. What's amazing to us is that traditional antivirus software is showing zero detection of this problem.


First, we used flare to decompile the actionscript. Unfortunately, flare crashed. Then we dumped the binary code to find the reason. Following Adobe's documentation, we read the binary. The first actionscript instruction is ActionJump(0x99), and the jump offset is 0x2C. At the target offset, which is followed by a ActionConstantPool(0x88), the parameter is a string: flashccVersion /:$version i.SWF _root. The next instruction is also ActionJump, jumping to offset 0xFFA9. A negative value means that the code will jump back. It jumps back to execute ActionPush(0x96). So the hex byte 63 02 00 00 00 will never be executed. It is meaningless opcode for Adobe Flash Player. When decompile tools like flare attempt to parse the meaningless opcode, they crash. This looks like the anti-decompilation code in PE files. We guess that the tiny SWF sample was made manually.


We strongly recommend that customers update Adobe Flash Player to the latest version to guard against this threat. Websense Security Labs will continue to do more research to protect customers against SWF file threats.

No comments:

Post a Comment